Check for `systemd-pcrlock is-supported`

[SomeoneSerge]

Enabling measuredBoot on thinkpad t460s, nixos-rebuild boot step fails with:

$ nixos-rebuild boot ... --install-bootloader
...
Installing Lanzaboote to "/boot"...
Collecting garbage...
Successfully installed Lanzaboote.
Predicting the PCR state for future boots...
Event log header has unexpected event type 0x00000008. (Probably not a TPM2 event log?)
Failed to install bootloader
Command '..../switch-to-configuration boot' returned non-zero exit status 1.

This is despite bootctl showing

...
System:
      Firmware: UEFI 2.40 (Lenovo 0.5504)
 Firmware Arch: x64
   Secure Boot: enabled (user)
  TPM2 Support: yes
  Measured UKI: yes
  Boot into FW: supported
...

Details

Current Boot Loader: Product: systemd-boot 259.3 Features: ✓ Boot counting ✓ Menu timeout control ✓ One-shot menu timeout control ✓ Default entry control ✓ One-shot entry control ✓ Support for XBOOTLDR partition ✓ Support for passing random seed to OS ✓ Load drop-in drivers ✓ Support Type #1 sort-key field ✓ Support @saved pseudo-entry ✓ Support Type #1 devicetree field ✓ Enroll SecureBoot keys ✓ Retain SHIM protocols ✓ Menu can be disabled ✓ Multi-Profile UKIs are supported ✓ Loader reports network boot URL ✓ Support Type #1 uki field ✓ Support Type #1 uki-url field ✓ Loader reports active TPM2 PCR banks

@WilliButz suggests the issue is predictable with:

$ sudo /run/current-system/sw/lib/systemd/systemd-pcrlock is-supported
obsolete

...and due to

$ systemd-analyze pcrs
NR NAME                SHA1
...

...only supporting SHA1

[WilliButz]

Just for completeness: support for sha256 is also checked by is-supported: https://github.com/systemd/systemd/blob/v260.1/src/pcrlock/pcrlock.c#L5028-L5029

[nikstur]

We should tell users how to check for a supported TPM in the docs.