Comment # 22 on bug 1228863 from Marc Thomas

While the re-enrollment was working for me with 20240807 and I could start
without PIN, I got the recovery PIN again with 20240808.
Initially I thought this was because I messed around with the recovery key
slots to rotate my recovery key, but the update ran in the background at the
same time.

To make sure it's not me I did a reinstall and then did the following:

Cleared TPM via:
echo 5 | sudo tee /sys/class/tpm/tpm0/ppi/request
Reboot

Entered PIN.

localhost:~ # tpm2_dictionarylockout -Tdevice:/dev/tpmrm0 --setup-parameters
--max-tries=5 --clear-lockout

localhost:~ # /usr/lib/systemd/systemd-pcrlock remove-policy
WARNING:esys:src/tss2-esys/api/Esys_StartAuthSession.c:391:Esys_StartAuthSession_Finish()
Received TPM Error 
ERROR:esys:src/tss2-esys/api/Esys_StartAuthSession.c:136:Esys_StartAuthSession()
Esys Finish ErrorCode (0x0000018b) 
Failed to remove NV index, assuming data out of date, removing policy file.
Removed policy file '/var/lib/systemd/pcrlock.json'.
Removed policy file '/boot/efi/loader/credentials/pcrlock.aeon.cred'.

localhost:~ # systemd-cryptenroll --wipe=tpm2 /dev/nvme1n1p2
Wiped slot 0.

localhost:~ # sdbootutil --ask-pin update-predictions
Garbage after device path end, ignoring.
Garbage after device path end, ignoring.
Recovery PIN: Garbage after device path end, ignoring.
NVIndex policy created

localhost:~ # systemd-cryptenroll --tpm2-device=auto /dev/nvme1n1p2
Automatically using pcrlock policy '/var/lib/systemd/pcrlock.json'.
Please enter current passphrase for disk /dev/nvme1n1p2: (press TAB for no
ec•••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••
New TPM2 token enrolled as key slot 0.

localhost:~ # systemd-cryptenroll /dev/nvme1n1p2
SLOT TYPE    
   0 tpm2
   2 recovery

After the next reboot the system still requests the PIN.