I dug a bit further and found:
reboot-for-bitlocker
Caveat: This feature is experimental, and is likely to be changed (or removed in its current form) in a future version of systemd.
Work around BitLocker requiring a recovery key when the boot loader was updated (disabled by default).
Try to detect BitLocker encrypted drives along with an active TPM. If both are found and Windows Boot Manager is selected in the boot menu, set the “
BootNext” EFI variable and restart the system. The firmware will then start Windows Boot Manager directly, leaving the TPM PCRs in expected states so that Windows can unseal the encryption key. This allows systemd-boot(7) to be updated without having to provide the recovery key for BitLocker drive unlocking.Note that the PCRs that Windows uses can be configured with the “
Configure TPM platform validation profile for native UEFI firmware configurations” group policy under “Computer Configuration\Administrative Templates\Windows Components\BitLocker Drive Encryption”. When Secure Boot is enabled, changing this to PCRs “0,2,7,11” should be safe. The TPM key protector needs to be removed and then added back for the PCRs on an already encrypted drive to change. If PCR 4 is not measured, this setting can be disabled to speed up booting into Windows.Added in version 251.
source: https://www.freedesktop.org/software/systemd/man/latest/loader.conf.html
You had this in the journal:
It might be that it has been removed as implied in the quote above. Not sure why EnOS has it in the loader.conf.
Since it is already commented out (disabled by default), I would say it is safe to remove it altogether.
You aren’t even using Windows with BitLocker on your system, are you?
PS. I was wrong about the lack of reference in man loader.conf. I overlooked it at a first glance. It is there as well: man loader.conf