redhat: Switch UKI to using its own SecureBoot cert
Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=2225529
Switch UKI to using dedicated SecureBoot certificates (redhatsecureboot504/centossecureboot204) and temporarily carry them with kernel until 'redhat-sb-certs' package is updated.
To support the change, add RHEL specific SBAT section to the UKI, this allows to revoke vulnerable binaries in the future without the need to extend UEFI DBX with all 'bad' hashes or the need to change the signing key.
Signed-off-by: Vitaly Kuznetsov vkuznets@redhat.com