check shim version before installing with LUKS root

[jmpolom]

As shown in #421 if the shim version is not the same between the installation OS (could be anything really) booted when/where bootc install to-disk --block-setup tpm2-luks is run, the resulting system will fail to boot as PCR #7 hash changes when booted with the different EFI shim.

If a LUKS root is chosen for the installation to disk, bootc should check the shim version in the container image to be installed against the version available on the host system. If they do not agree, bootc should not proceed with the installation and produce an informative error message.

It also might be necessary to advise of restrictions with the to-disk installation workflow when using a LUKS root to ensure an installation OS is used that shares the same EFI shim as the system to be installed. This could be a documentation update or some more informative help messages produced by bootc. Or both.