[mananaysiempre]

> A normal reboot always [forces the TPM pin entry screen], even a 'hot' reboot.

In TPM-only mode, I only see the screen—which asks for an recovery key that serves an alternative to the TPM-borne secret, not for whatever you are calling the “TPM PIN” here—whenever I update the firmware or the bootloader (the latter from the other side of the dual-boot setup). Otherwise it boots straight to the login screen, which meshes with the measured-boot-only theory of operation I’ve described above. There’s nothing nefarious in this part, even if I think it exposes an unwisely large attack surface (e.g. the USB stack). I suspect you simply reboot so rarely you’re never hitting the happy path.

[wolvoleo]

No I have the explicit PIN turned on. That means it requires a Pin entry on each boot. It's not the recovery screen though it looks similar. It's also not a password that's then hashed. It unlocks the TPM with a short pin, the number of attempts is limited by the TPM itself so that it doesn't get brute forced.

This is not a standard option, I think it can only be set through a group policy.