Provide Secure Boot support

As discussed in FS#53864 it would be beneficial to provide Secure Boot support out-of-the-box (for systems that are booted for the first time and have Secure Boot enabled or for systems where Secure Boot can not be disabled).

One of the outcomes of the above discussion has been that likely the only viable option for this use-case is to apply for a distribution certificate and use a signed shim (see this mailing list discussion by @diabonas for reference).

To upload designs, you'll need to enable LFS and have an admin enable hashed storage. More information