feat: check tpm unlocking signatures are valid on upgrade

[Itxaka]

Part 2 of #2200

While we now should be checking the EFI signature to confirm it can boot, we are not checking if the measurements of the EFI file are able to unlock the encrypted parts.

we should try to add this as it could lead to confusing errors in which you upgrade and boot, but then you cant unlock the partitions so you cannot log in (and apparently the system booted just fine)

The idea would be:

• extract the .pcrsign section fo the efi file as text
• use that to try and unlock the partition

problems:

• if partitions are unlocked, can we check if the key is valid?
  • check systemd-cryptattach to see if its possible
  • check cryptsetup luksAddKey as that first tries to unlock?

[ci-robbot]

To properly handle this issue, I will need more information. Could you please specify the versions of the artifacts you are using? This will help us to better understand the issue and provide a more accurate solution.

Please update the issue with the version information, and once that's done, the issue will be labeled as 'triage'.

I am a bot, an experiment of @mudler and @jimmykarily, auditing issues to ensure they meet the project's requirements. If you have any questions, feel free to ask.