Add support for full disk encryption

[superm1]

The encryption is accomplished using cryptsetup, but users do not enter passphrases. Instead, Clevis is used to store the passphrase in the LUKS header with a policy that decrypts the secret using the TPM.

During install time multiple different passphrases are used.

1. During phase 1, no passphrase used.
2. During phase 2, the hardcoded password passphrase is used.
3. At the end of phase 2, clevis uses this passphrase to do initial TPM binding (no PCR values).
4. At the end of phase 2, hardcoded password is discarded.
5. Before OOBE secure boot it turned on.
6. During OOBE (phase 3) the TPM policy is adjusted to use PCR7 to bind to.

Ideally this should also be bound to:

• PCR1; Capture the BIOS configuration and boot variables.
  Limitation with this is that if FW update is performed BootXXXX variable is created and BootOrder changed. Could break things. Might need to add a post script that fwupd can run to loosen policy for one boot and then on next boot strengthen it again.
  Also if a user changes BIOS settings they would break being able to boot again.
• PCR8 and PCR9 to capture the built kernel version
  Similar to PCR1 this would need to be updated every time that a kernel upgrade occurs to loosen policy for a boot and then strengthen it again.

This is dependent upon the following:

1. Ubuntu 20.04 (daily images fine)
2. This merge request for Ubiquity: https://code.launchpad.net/~ubuntu-installer/ubiquity/+git/ubiquity/+merge/376777
3. Clevis master (built into debian packages)
4. This merge request for Clevis: initramfs: Add support for LUK2 latchset/clevis#152
5. All clevis-tpm2 and tpm2-tools packages available at installation time in recovery media

[superm1]

superceded by #148