Pre-calculate and sign PCR 11 values on build

[brdanin]

This PR changes the current encryption behaviour in favour of binding to signatures of PCR 11 values with signed public key based policies. Binding to PCR 7 is kept static, as the Secure Boot state should not change during e.g. a kernel upgrade.

Following steps are being performed during the build process if a partition with the feature flag tpm2 is defined in the fstab.mod file:

1. PCR 11 values get pre-calculated during the build process using ukfiy(could be changed in the future to systemd-measure)
2. Generates a valid PCR signature JSON for the given build based on the values calculated in Step 1
3. Combines .pcrsig and .pcrpkey sections into the final bootable Unified Kernel Image
4. Optional: This UKI file can also be signed if Secure Boot is enabled

These steps are executed by the OS during boot:

1. When creating the defined partitions, systemd-repart binds the encryption to the signature values defined in tpm2-pcr-signature.json (.pcrsig)
2. systemd-cryptsetup then valides this signatures with the PCR 11 values present on the system and the public key provided using the tpm2-pcr-public-key.pem (.pcrpkey) certificate file
3. If all checks out, the boot process is continued and the partition can then be mounted and accessed