I have a Surface Pro 3 that is currenty setup with Windows 8.1 Pro and Zorin OS 18 dual boot. I want to fully wipe the internal SSD and just have Zorin OS 18 as the only operating system on the device. The Windows 8.1 Pro installation had bitlocker automatically enabled which became very problematic (the windows drive won't fully decrypt, it gets stuck around 70%ish. The bitlocker also requires the recovery key after every reboot despite secure boot being off) after I installed Zorin as a dual boot option a couple months ago. I am planning on having secure boot enabled before making my clean standalone install of Zorin 18 on this surface pro. I was wondering if I should clear the TPM from BIOS in case the old keys mess up something later on. Or is the TPM with the old keys harmless and there's no advantage to clearing it?
For the most part, users here will recommend you leave secure boot off if you're not going to install Windows. It's not that there's ZERO risk in Linux; it's that the risk vs. hassle comparison is different. If you're certain you want secure boot on, leaving the keys shouldn't hurt anything, but removing them shouldn't either. Removing them burns bridges in terms of accessing anything encrypted with TPM support (like Bitlocker), but they shouldn't hurt anything.
Are you planning on doing whole drive encryption on the Surface after installing Zorin? If you are, be aware that you'll likely need the Surface Kernel and POSSIBLY need to do some extra work to get the keyboard working for entering your encryption password. You may still want the surface kernel even if you're not encrypting, but the extra work for the keyboard won't be an issue. (The short version is that the keyboard driver is in the encrypted portion of the drive, so some models won't be able to access it unless you go out of your way to have it in the initramfs. I ran into this just this last weekend on a different distribution.)
I'm not planning on doing whole drive encryption. I was already planning on installing the Surface Linux Kernel for maximum hardware compatibility after the initial Zorin OS install.
I was thinking of having secure boot enabled since Zorin OS 18 now recommends it be turned on. Also, aren't there some drivers that require secure boot be enabled to function?
It's the other way around. A fair bit of stuff isn't signed, and thus can't be loaded with secure boot turned on. That said, if you run into something like that you can always turn it off at that time; you don't have to start with secure boot turned off. (The stuff that won't function without secure boot is largely stuff that's actively checking for it, like certain anti-cheats in Windows, that want to make sure you're not deliberately loading something at the kernel level to enable cheating, but those don't work in Linux anyway, even with WINE/Proton, etc.)