Provide an option to get PCR11 and PCR12 when building an UKI

[clauverjat]

Hello,

Thanks for your work on mkosi, I recently started to use it, and it's been a great experience.

It would be great to be able to directly obtain the expected value of PCR11 and PCR12 when the output is an UKI.
I might have missed something, but it looks to me that today the only related option is "--sign-expected-pcr" which actually embeds the PCR signature inside the image.

To give more context, my usecase is to remotely attest a machine. In that case it is useful to have the golden PCR for index 11 and 12, in order to check the quote against the expected value. Of course one could simply do a "mkosi qemu" and then get the PCR via "systemd-analyze pcrs". But we should have all the information we need already when building the UKI, so it seems a bit silly to go through all that.

Thanks

[behrmann]

It would be nice to add something like this to the manifest. Happy to review a PR.

[DaanDeMeyer]

We don't really know that information anymore, it's all in ukify. Maybe ukify inspect should be extended to show this information.

[DaanDeMeyer]

Hmm, it should probably be systemd-measure that should learn how to extract this from a given UKI. Then we can run that and put the information in the manifest.

[DaanDeMeyer]

#3377 contains a new SplitArtifacts=pcrs option that will fix this I think.