

One major obstacle is third party drivers, specifically Nvidia, that forces building and signing your own kernel modules. It can be done, but it’s certainly more complexity than distributing signed binary drivers from the distro. I think Ubuntu has preliminary support for TPM-backed FDE, but only if you aren’t using such drivers. It doesn’t work in combination.
I don’t want to sign my own modules. I want them to shipped signed, so the key isn’t expected to be on my machine. If I were doing kernel development work, I’d have disabled secure boot entirely anyway.
As long as the user owns the TPM and has full control over it, I don’t see a problem. I paid for that hardware. I want to use it. There are already tools that can talk to it. It’s just not fully implemented and integrated into the system in a secure fashion. Indirectly, you kind of point out why there hasn’t been as much motivation to provide these features because they’re associated with the user giving up control, but it doesn’t have to be this way. The hardware can work for me if the support were there.
With the right support, it can even be combined with the password. This lets me enforce that the drive only unlocks in this machine, with this password, and only with the software that I set. That’s certainly more secure than how most distros do FDE today. It covers more use cases and enables a much stronger threat model.