/run/systemd/tpm2-pcr-{signature.json|public-key.pem} are not created when booting a UKI
Initially reported here: https://github.com/systemd/systemd/issues/32232
I'm looking into it but I have to make sure I understand all the ins and outs before proposing anything