Add TODO in README for selective enrollement

Signed-off-by: Dimitris Karakasilis <dimitris@karakasilis.me>

README.md

@@ -117,3 +117,73 @@ TEST SUITE: None
 # Installs challenger
 $ helm install kairos-challenger kairos/kcrypt-challenger
 ```
+
+## TODO: Implement Selective Enrollment Mode for Attestation Data
+
+### Problem Statement
+
+Currently, the TPM attestation system faces operational challenges in real-world deployments:
+
+1. **Test Complexity**: Tests require manually creating SealedVolumes with complex mock attestation data (EK, AK, PCR values)
+2. **Upgrade Compatibility**: Kernel upgrades change PCR values, causing TPM quarantine and disk inaccessibility  
+3. **Operational Flexibility**: No mechanism for operators to reset/update attestation data after TPM replacement, firmware upgrades, or key rotation
+
+### Proposed Solution: Selective Enrollment Mode
+
+Implement a "selective enrollment mode" where operators can set specific attestation fields to empty/null values in SealedVolume specs, indicating that the server should:
+1. Accept any value for that field during attestation
+2. Store the received value for future verification
+3. Update the SealedVolume with the learned value
+
+### Required Implementation Changes
+
+#### 1. **SealedVolume API Enhancement**
+```yaml
+spec:
+  TPMHash: "required-tpm-hash"  # MUST be set for client matching
+  attestation:
+    ekPublicKey: ""             # Empty = enrollment mode
+    akPublicKey: ""             # Empty = enrollment mode  
+    pcrValues:
+      pcrs:
+        "0": ""                 # Empty = enrollment mode for this PCR
+        "7": "fixed-value"      # Set = enforce this value
+        # "11": omitted         # Omitted = skip verification entirely
+```
+
+#### 2. **Server Logic Updates**
+- Modify `verifyAKMatch()` to handle empty AK fields as enrollment mode
+- Modify `verifyPCRValues()` to handle empty PCR values as enrollment mode  
+- Add logic to update SealedVolume specs when learning new values
+- Ensure TPM hash is always required and validated for client matching
+
+#### 3. **Test Simplification**
+Replace complex mock attestation data in tests with simple enrollment mode:
+```yaml
+# tests/encryption_test.go - remote-static test
+spec:
+  TPMHash: "computed-from-vm"   # Get from /system/discovery/kcrypt-discovery-challenger
+  partitions:
+    - label: COS_PERSISTENT
+      secret: {name: "static-passphrase", path: "pass"}
+  attestation: {}               # Full enrollment mode
+```
+
+### Use Cases Solved
+
+1. **Static Passphrase Tests**: Create Secret + minimal SealedVolume, let TOFU handle attestation
+2. **Production Manual Setup**: Operators set known passphrases + TPM hashes, system learns security data
+3. **Firmware Upgrades**: Set PCR fields to empty to re-learn after BIOS updates
+4. **TPM Replacement**: Set AK field to empty to re-learn after hardware changes
+5. **Kernel Updates**: Omit PCR 11 entirely to avoid quarantine on upgrades
+
+### Critical Implementation Notes
+
+- **TPM Hash MUST remain mandatory** - without it, multiple clients would match the same SealedVolume
+- **EK verification should remain strict** - only AK and PCRs should support enrollment mode
+- **Add proper logging** for enrollment events for audit trails
+- **Consider rate limiting** to prevent abuse of enrollment mode
+- **Update documentation** with operational procedures for each use case
+
+### Priority: High
+This blocks current test failures and addresses fundamental operational challenges for production deployments.