boot: measure loader.conf in PCR5

Results in:

- EventNum: 26
  PCRIndex: 5
  EventType: EV_EVENT_TAG
  DigestCount: 4
  Digests:
  - AlgorithmId: sha1
    Digest: 155fb999ca61ba8c7b1f1d87cee821f772ef084a
  - AlgorithmId: sha256
    Digest: 4c26adf231603613afc00bb3d5cad046aec6a525ca01262417c7085caab452b5
  - AlgorithmId: sha384
    Digest: 3e0758cb6605ac274e55d747bf29ee3474fc4413cd5e7a451d1375219cd7f08a30fc915a8df7131657ca78b82b9ccec8
  - AlgorithmId: sha512
    Digest: e32d905b9092c543802f386db9a397d9b6593bdb8360fb747a6d23e491a09595fec8699184cc790d0873a3d52ed16d045538f0c73ece48278fae0fb6ed9b4ed6
  EventSize: 32
  Event: 2a58bcf5180000006c006f0061006400650072002e0063006f006e0066000000

docs/TPM2_PCR_MEASUREMENTS.md

@@ -16,8 +16,8 @@ measurements listed below are (by default) only done if a system is booted with
 to systemd's UEFI-mode measurements, and if the latter are not done the former
 aren't made either.
 
-systemd will measure to PCRs 11 (`kernel-boot`), 12 (`kernel-config`), 13
-(`sysexts`), 15 (`system-identity`).
+systemd will measure to PCRs 5 (`boot-loader-config`), 11 (`kernel-boot`),
+12 (`kernel-config`), 13 (`sysexts`), 15 (`system-identity`).
 
 Currently, four components will issue TPM2 PCR measurements:
 
@@ -31,6 +31,17 @@ maintained in `/run/log/systemd/tpm2-measure.log`.
 
 ## PCR Measurements Made by `systemd-boot` (UEFI)
 
+### PCS 5, `EV_EVENT_TAG`, "loader.conf"
+
+The content of `systemd-boot`'s configuration file, `loader/loader.conf`, is
+measured as a tagged event.
+
+→ **Event Tag** `0xf5bc582a`
+
+→ **Description** in the event log record is the file name, `loader.conf`.
+
+→ **Measured hash** covers the content of `loader.conf` as it is read from the ESP.
+
 ### PCR 12, `EV_IPL`, "Kernel Command Line"
 
 If the kernel command line was specified explicitly (by the user or in a Boot