Add support for `ms-cert` on EFI disk

[Safranil]

Describe the bug
Unable to set ms-cert to 2023k on EFI disk for resource proxmox_virtual_environment_vm

To Reproduce
Steps to reproduce the behavior:

1. Create a resource 'proxmox_virtual_environment_vm'
2. Apply changes
3. Open PVE web UI
4. A warning is shown on VM start

[...]
/dev/rbd28
WARN: EFI disk without 'ms-cert=2023k' option, suggesting that not all UEFI 2023
certificates from Microsoft are enrolled yet.
The UEFI 2011 certificates expire in June 2026! The new certificates are required
for secure boot update for Windows and common Linux distributions.
Use 'Disk Action > Enroll Updated Certificates' in the UI or, while the VM is
shut down, run 'qm enroll-efi-keys 17856' to enroll the new certificates.

For Windows with BitLocker, run the following command inside Powershell:
  manage-bde -protectors -disable <drive>
for each drive with BitLocker (for example, <drive> could be 'C:').
This is required for each drive with BitLocker before proceeding with enrollment.
Otherwise, you will be prompted for the BitLocker recovery key on the next boot.
TASK WARNINGS: 1

resource "proxmox_virtual_environment_vm" "vm" {
  # [...]

  efi_disk {
    datastore_id      = var.proxmox_datastore_disk
    file_format       = "raw"
    pre_enrolled_keys = true
  }

  # [...]
}

After following the provided steps in the UI the config file changed:

-efidisk0: ceph-vms:vm-17856-disk-0,efitype=2m,pre-enrolled-keys=1,size=1M
+efidisk0: ceph-vms:vm-17856-disk-0,efitype=2m,ms-cert=2023k,pre-enrolled-keys=1,size=1M

Expected behavior
An option should be added to allow setting ms-cert value on EFI disk.

Additional context
Add any other context about the problem here.

• Single or clustered Proxmox: Clustered, 3 nodes
• Proxmox version: 9.1.11
• Provider version: 0.106.0
• OpenTofu version: 0.106.0 (with Terragrunt v0.91.2)
• OS (where you run Terraform/OpenTofu from): Debian 13.5
• Debug logs (TF_LOG=DEBUG terraform apply):

Debug logs

17:43:48.100 INFO   tofu: TF_LOG: backend/local: apply calling Apply
17:43:48.265 INFO   tofu: TF_LOG: provider.terraform-provider-proxmox_v0.106.0: Configuring the Framework Proxmox provider...: @caller=../../../runner/work/terraform-provider-proxmox/terraform-provider-proxmox/fwprovider/provider.go:301 @module=proxmox tf_mux_provider="*proto6server.Server" tf_provider_addr=registry.terraform.io/bpg/proxmox tf_rpc=ConfigureProvider tf_req_id=ed6d1b8f-c56d-6b99-fc30-298116b97259 timestamp="2026-05-22T17:43:48.265+0200"
17:43:48.265 INFO   tofu: TF_LOG: provider.terraform-provider-proxmox_v0.106.0: Configuring the SDK Proxmox provider...: @caller=../../../runner/work/terraform-provider-proxmox/terraform-provider-proxmox/proxmoxtf/provider/provider.go:50 tf_mux_provider=tf5to6server.v5tov6Server tf_provider_addr=registry.terraform.io/bpg/proxmox @module=proxmox tf_req_id=ed6d1b8f-c56d-6b99-fc30-298116b97259 tf_rpc=ConfigureProvider timestamp="2026-05-22T17:43:48.265+0200"
17:43:48.279 WARN   tofu: TF_LOG: Provider "provider[\"registry.opentofu.org/bpg/proxmox\"]" produced an invalid plan for module.vm_REDACTED.proxmox_virtual_environment_vm.vm, but we are tolerating it because it is using the legacy plugin SDK.
17:43:48.279 STDERR tofu:     The following problems may be the cause of any confusing errors from downstream operations:
17:43:48.279 STDERR tofu:       - .network_device: planned value cty.ListVal([]cty.Value{cty.ObjectVal(map[string]cty.Value{"bridge":cty.StringVal("servers"), "disconnected":cty.NullVal(cty.Bool), "enabled":cty.True, "firewall":cty.True, "mac_address":cty.StringVal("bc:24:11:60:a5:42"), "model":cty.StringVal("virtio"), "mtu":cty.NumberIntVal(0), "queues":cty.NumberIntVal(0), "rate_limit":cty.NumberIntVal(0), "trunks":cty.NullVal(cty.String), "vlan_id":cty.NumberIntVal(0)})}) does not match config value cty.ListVal([]cty.Value{cty.ObjectVal(map[string]cty.Value{"bridge":cty.StringVal("servers"), "disconnected":cty.NullVal(cty.Bool), "enabled":cty.NullVal(cty.Bool), "firewall":cty.True, "mac_address":cty.StringVal("bc:24:11:60:a5:42"), "model":cty.NullVal(cty.String), "mtu":cty.NullVal(cty.Number), "queues":cty.NullVal(cty.Number), "rate_limit":cty.NullVal(cty.Number), "trunks":cty.NullVal(cty.String), "vlan_id":cty.NullVal(cty.Number)})})
17:43:48.279 STDERR tofu:       - .purge_on_destroy: planned value cty.True for a non-computed attribute
17:43:48.279 STDERR tofu:       - .reboot: planned value cty.False for a non-computed attribute
17:43:48.279 STDERR tofu:       - .reboot_after_update: planned value cty.True for a non-computed attribute
17:43:48.279 STDERR tofu:       - .protection: planned value cty.False for a non-computed attribute
17:43:48.279 STDERR tofu:       - .timeout_stop_vm: planned value cty.NumberIntVal(300) for a non-computed attribute
17:43:48.279 STDERR tofu:       - .timeout_migrate: planned value cty.NumberIntVal(1800) for a non-computed attribute
17:43:48.280 STDERR tofu:       - .timeout_reboot: planned value cty.NumberIntVal(1800) for a non-computed attribute
17:43:48.280 STDERR tofu:       - .timeout_shutdown_vm: planned value cty.NumberIntVal(1800) for a non-computed attribute
17:43:48.280 STDERR tofu:       - .acpi: planned value cty.True for a non-computed attribute
17:43:48.280 STDERR tofu:       - .delete_unreferenced_disks_on_destroy: planned value cty.True for a non-computed attribute
17:43:48.280 STDERR tofu:       - .tablet_device: planned value cty.True for a non-computed attribute
17:43:48.280 STDERR tofu:       - .timeout_start_vm: planned value cty.NumberIntVal(1800) for a non-computed attribute
17:43:48.280 STDERR tofu:       - .on_boot: planned value cty.True for a non-computed attribute
17:43:48.280 STDERR tofu:       - .scsi_hardware: planned value cty.StringVal("virtio-scsi-pci") for a non-computed attribute
17:43:48.280 STDERR tofu:       - .timeout_clone: planned value cty.NumberIntVal(1800) for a non-computed attribute
17:43:48.280 STDERR tofu:       - .started: planned value cty.True for a non-computed attribute
17:43:48.280 STDERR tofu:       - .template: planned value cty.False for a non-computed attribute
17:43:48.280 STDERR tofu:       - .timeout_move_disk: planned value cty.NumberIntVal(1800) for a non-computed attribute
17:43:48.280 STDERR tofu:       - .vga[0].memory: planned value cty.NumberIntVal(16) for a non-computed attribute
17:43:48.280 STDERR tofu:       - .efi_disk[0].type: planned value cty.StringVal("2m") for a non-computed attribute
17:43:48.280 STDERR tofu:       - .agent[0].type: planned value cty.StringVal("virtio") for a non-computed attribute
17:43:48.280 STDERR tofu:       - .agent[0].timeout: planned value cty.StringVal("15m") for a non-computed attribute
17:43:48.280 STDERR tofu:       - .cpu[0].hotplugged: planned value cty.NumberIntVal(0) for a non-computed attribute
17:43:48.280 STDERR tofu:       - .cpu[0].limit: planned value cty.NumberIntVal(0) for a non-computed attribute
17:43:48.280 STDERR tofu:       - .cpu[0].numa: planned value cty.False for a non-computed attribute
17:43:48.280 STDERR tofu:       - .cpu[0].sockets: planned value cty.NumberIntVal(1) for a non-computed attribute
17:43:48.280 STDERR tofu:       - .memory[0].keep_hugepages: planned value cty.False for a non-computed attribute
17:43:48.280 STDERR tofu:       - .memory[0].shared: planned value cty.NumberIntVal(0) for a non-computed attribute
17:43:48.280 STDERR tofu:       - .cdrom[0].enabled: planned value cty.False for a non-computed attribute
17:43:48.280 STDERR tofu:       - .disk[0].backup: planned value cty.True for a non-computed attribute
17:43:48.280 STDERR tofu:       - .disk[0].iothread: planned value cty.False for a non-computed attribute
17:43:48.280 STDERR tofu:       - .disk[0].replicate: planned value cty.True for a non-computed attribute
17:43:48.280 STDERR tofu:       - .disk[0].aio: planned value cty.StringVal("io_uring") for a non-computed attribute
17:43:48.279 INFO   tofu: TF_LOG: Starting apply for module.vm_REDACTED.proxmox_virtual_environment_vm.vm
17:43:48.280 STDOUT tofu: module.vm_REDACTED.proxmox_virtual_environment_vm.vm: Creating...