bluecmd
commented
3 years ago Mokutil seems to be an answer to how people self-sign kernels, and it appears to store its state in EFI variables. That is good for us as we could offer a quite simple enrollment through an installer script.
Figure out a story for Secure Boot
There is a branch for experiments using it right now.