diff --git a/docs/TPM2_PCR_MEASUREMENTS.md b/docs/TPM2_PCR_MEASUREMENTS.md
index f92b8a5ed5..7601c15531 100644
--- a/docs/TPM2_PCR_MEASUREMENTS.md
+++ b/docs/TPM2_PCR_MEASUREMENTS.md
@@ -16,8 +16,8 @@ measurements listed below are (by default) only done if a system is booted with
 to systemd's UEFI-mode measurements, and if the latter are not done the former
 aren't made either.
 
-systemd will measure to PCRs 11 (`kernel-boot`), 12 (`kernel-config`), 13
-(`sysexts`), 15 (`system-identity`).
+systemd will measure to PCRs 5 (`boot-loader-config`), 11 (`kernel-boot`),
+12 (`kernel-config`), 13 (`sysexts`), 15 (`system-identity`).
 
 Currently, four components will issue TPM2 PCR measurements:
 
@@ -31,6 +31,17 @@ maintained in `/run/log/systemd/tpm2-measure.log`.
 
 ## PCR Measurements Made by `systemd-boot` (UEFI)
 
+### PCS 5, `EV_EVENT_TAG`, "loader.conf"
+
+The content of `systemd-boot`'s configuration file, `loader/loader.conf`, is
+measured as a tagged event.
+
+→ **Event Tag** `0xf5bc582a`
+
+→ **Description** in the event log record is the file name, `loader.conf`.
+
+→ **Measured hash** covers the content of `loader.conf` as it is read from the ESP.
+
 ### PCR 12, `EV_IPL`, "Kernel Command Line"
 
 If the kernel command line was specified explicitly (by the user or in a Boot
diff --git a/src/boot/efi/boot.c b/src/boot/efi/boot.c
index de801ceb37..c28ec01975 100644
--- a/src/boot/efi/boot.c
+++ b/src/boot/efi/boot.c
@@ -21,6 +21,7 @@
 #include "secure-boot.h"
 #include "shim.h"
 #include "ticks.h"
+#include "tpm2-pcr.h"
 #include "util.h"
 #include "version.h"
 #include "vmm.h"
@@ -38,6 +39,8 @@ DECLARE_NOALLOC_SECTION(
 
 DECLARE_SBAT(SBAT_BOOT_SECTION_TEXT);
 
+#define LOADER_CONF_CONTENT_EVENT_TAG_ID UINT32_C(0xf5bc582a)
+
 typedef enum LoaderType {
         LOADER_UNDEFINED,
         LOADER_AUTO,
@@ -1621,7 +1624,7 @@ static EFI_STATUS efivar_get_timeout(const char16_t *var, uint32_t *ret_value) {
 
 static void config_load_defaults(Config *config, EFI_FILE *root_dir) {
         _cleanup_free_ char *content = NULL;
-        size_t value = 0;  /* avoid false maybe-uninitialized warning */
+        size_t content_size, value = 0;  /* avoid false maybe-uninitialized warning */
         EFI_STATUS err;
 
         assert(root_dir);
@@ -1638,9 +1641,19 @@ static void config_load_defaults(Config *config, EFI_FILE *root_dir) {
                 .timeout_sec_efivar = TIMEOUT_UNSET,
         };
 
-        err = file_read(root_dir, u"\\loader\\loader.conf", 0, 0, &content, NULL);
-        if (err == EFI_SUCCESS)
+        err = file_read(root_dir, u"\\loader\\loader.conf", 0, 0, &content, &content_size);
+        if (err == EFI_SUCCESS) {
                 config_defaults_load_from_file(config, content);
+                err = tpm_log_tagged_event(
+                                TPM2_PCR_BOOT_LOADER_CONFIG,
+                                POINTER_TO_PHYSICAL_ADDRESS(content),
+                                content_size,
+                                LOADER_CONF_CONTENT_EVENT_TAG_ID,
+                                u"loader.conf",
+                                /* ret_measured= */ NULL);
+                if (err != EFI_SUCCESS)
+                        log_error_status(err, "Error measuring loader.conf into TPM: %m");
+        }
 
         err = efivar_get_timeout(u"LoaderConfigTimeout", &config->timeout_sec_efivar);
         if (err == EFI_SUCCESS)