Support adding .pcrsig & .pcrpkey sections to UKIs

.pcrsig contains a set of cryptographic signatures for expected TPM2 PCR values,
.pcrpkeycontains a public key that signed the signature data.

These are required to use systemd-cryptenroll's --tpm2-public-key=, --tpm2-public-key-pcrs= and --tpm2-signature= options. I.e. to avoid hardcoding the PCR values in the LUKS header.

.pcrpkey is simple, just attach the file, .pcrsig is not simple. The signature requires running systemd-measure after the initramfs is generated but before the UKI is constructed. I.e. at a stage after build hooks, but before post hooks.

Edited Jun 13, 2023 by nl6720

To upload designs, you'll need to enable LFS and have an admin enable hashed storage. More information