Comment # 46 on bug 1228863 from Marc Thomas

This is now a completely different machine.
I gave up running Aeon on the other one, as it was a dual boot one which is not
a supported configuration.

This happened on a machine where only Aeon is installed.
After installing 20241030 the recovery key was requested.

Running sudo sdbootutil -vvv update-predictions is not successful (see file
sdbootutil_update-predictions.txt) and ends with:

WARNING:esys:src/tss2-esys/api/Esys_PolicyOR.c:286:Esys_PolicyOR_Finish()
Received TPM Error 
ERROR:esys:src/tss2-esys/api/Esys_PolicyOR.c:100:Esys_PolicyOR() Esys Finish
ErrorCode (0x000001c4) 
Failed to add OR policy to TPM: tpm:parameter(1):value is out of range or is
not correct for the context
Failed to submit super PCR policy: State not recoverable
Error creating the policy!
Please, provide the recovery PIN to register the new policy
NVIndex policy created

Running sudo sdbootutil -vvv --ask-pin update-predictions is also not
successful (see file sdbootutil_ask-pin_update-predictions.txt) and ends with:

WARNING:esys:src/tss2-esys/api/Esys_NV_Write.c:310:Esys_NV_Write_Finish()
Received TPM Error 
ERROR:esys:src/tss2-esys/api/Esys_NV_Write.c:110:Esys_NV_Write() Esys Finish
ErrorCode (0x0000099d) 
Failed to write NV index: tpm:session(1):a policy check failed
Failed to write to NV index: State not recoverable
Error creating the policy!
Provided PIN incorrect or TPM2 locked after too many retries
NVIndex policy created

Pin has been copy/pasted to rule out typos.
I have rebooted the machine before the re-enroll to make sure it still does not
work.

The only way to fix this for me was a re-enroll of the TPM via the guide.
After these steps the machine boots normally without asking for the recovery.