Add WithPlatformConfigProfile() (for PCR1)

[chrisccoulson]

If PCR7 isn't supported for some reason, eg, because secure boot is disabled or the device is not in deployed mode, then we should be able to fall back to a safe profile that includes PCRs 1, 2, 3, 4 and 5. PCR 2 and 4 are for binding to all code that's loaded outside of the platform firmware.

PCR1 is to bind to all of the platform firmware's configuration - currently, changes to security-sensitive settings such as enabling a debugger or disabling DMA remapping change the value of PCR7 by adding extra EVI_EFI_ACTION events.

PCR3 contains any configuration related to UEFI drivers that are not part of the platform firmware.

PCR5 contains the GPT of the IBL and can be used for any bootloader configuration, and support for this will be tracked in a separate issue.

To support this, the efi package needs a new WithPlatformConfigProfile API that will support PCR1.

Most events for PCR1 will be copied from the log to the profile, with the exception of:

• BootOrder and BootXXXX global variable EV_EFI_VARIABLE_BOOT and EV_EFI_VARIABLE_BOOT2 events, as these can be computed in order to support updating these variables.
• EV_ACTION events with the data "Entering ROM Based Setup" - profile generation should fail in this case and the pre-install checks should catch this and advise a reboot if PCR1 is required.
• EV_ACTION events with the data "Chassis Intrusion" - profile generation should fail in this case and the pre-install checks should catch this and advise this condition is cleared before continuing if PCR1 is required.