Hi Christoph, The upstream.work-around-missing-dev-fd-links.patch doesn't work for the tpm2 pin yet.
You replaced exec with a child process but in this case the on_exit trap continues to run and the decryption with tpm2 pin will always fail with Delete temporary files failed! You need to clean up: $TMP because files will try to be removed twice. To fix, I've simply removed the lines 168-170 in clevis-decrypt-tpm2: # The on_exit() trap will not be fired after exec, so let's clean up the temp # directory at this point. [ -d "${TMP}" ] && rm -rf "${TMP}" because with subprocess the trap will be executed and now it works without issues for me. Thank you, Marek