support for secure boot

Advice from https://secureblue.dev:

If you're not adding out-of-tree kmods, secure boot should already work today with Fedora's key. That said, what @travier is saying is that this will change with UKIs.

Our secure boot scripts are here:

• https://github.com/secureblue/secureblue/blob/live/files/scripts/signmodules.sh
• https://github.com/secureblue/secureblue/blob/live/files/scripts/signkernel.sh
• https://github.com/secureblue/secureblue/blob/live/files/scripts/sign-check.sh

It seems there are two options for working with custom signing keys:

• add the key before installing the image and have secureboot enabled during the installation
• add the key after installing the image and enable secureboot only after the installation

References

• https://discussion.fedoraproject.org/t/how-to-turn-on-secure-boot-on-silverblue/77516
• https://docs.bazzite.gg/General/Installation_Guide/secure_boot/
• https://github.com/ublue-os/bazzite/blob/main/README.md#secure-boot
• https://rpmfusion.org/Howto/Secure%20Boot
• https://fedoraproject.org/wiki/Changes/Unified_Kernel_Support_Phase_2)