Did you explored clevis (https://github.com/latchset/clevis
) as an alternative for this?
I have a very simple example in a gist, using tpm secrets sealed with a static PCR policy.
I am not sure if TPM PCR policy + Password is supported by clevis today, but should be
easy to add.
It also support an early boot unlocker with Dracut:
which apparently prompt for a password.
I am not sure if it is support both TPM key and user pin.