On Tue, Nov 26, 2019 at 09:39:59AM -0700, Chris Murphy wrote:

Mayyyybee systemd-homed is in
a position to solve this by having early enough authentication
capability by rescue.target time that any admin user can login?

Actually, it may. Things are confusing here, because systemd-homed is
implemented together with changes to how user metadata querying is done:
instead of using dbus, a brokerless and much simpler varlink query is used.
That last part is what would be relevant to early-boot logins, because
less services need to be up to bring up the user session.

There's one tricky feature of homed : remote login (ssh) is only possible after an initial local login. It is OK for his intended use (a personal laptop/tablet client), except for corner cases like a remotely accessed personal desktop in the basement that might get rebooted e.g. for updates, resulting in an accidental lockout.