Comment by michaelt

> It could also let the TPM verify the disk decryption password (when it's needed.)

The design intent is basically:

1. The TPM is very sensitive, and errs on the side of not unlocking your disk.

Booting into recovery mode to fix a driver? Reinstalled your distro? Added a MOK so you can install the nvidia drivers? Toggled certain options in your BIOS? The expected-computer-state checksums are wrong, better not unlock the disk as it could be an attack.

2. When this happens, you key in the password instead.

You can't rely on the TPM to verify the manually entered password, as the intent of the manually entered password is to recover when the TPM is in a broken state.