Missing pieces for full local SecureBoot support

[cvlc12]

Component

bootctl, kernel-install, systemd-boot

Is your feature request related to a problem? Please describe

Nearly everything is in place to fully set up secureboot with local keys on a system, but a few steps still require extra steps or tooling

• Ukify can generate some keys (SecureBootPrivateKey and SecureBootCertificate) but not the full set of .AUTH files
• systemd-boot can enroll Secure Boot variables automatically (if files are available under /loader/keys/NAME/{db,KEK,PK}.auth)
• Ukify can sign newly created UKIs for SecureBoot automatically
• bootctl install/update knows to prefer .efi.signed files, but cannot create these manually or automatically

I feel like most of the code to check all boxes already exists.

Describe the solution you'd like

1. Define the default location for generated keys and be able to generate them all in one go
2. Teach bootctl install/update the --secureboot-private-key=sb.key --secureboot-certificate=sb.cert flags.
3. Have Ukify and bootctl automatically search the default location and sign their updates if appropriate keys are found.

Describe alternatives you've considered

Ukify genkey makes sense for PCRkeys, but might or might not be the most logical place to create the full set of SecureBoot keys.

The systemd version you checked that didn't have the feature you are asking for

No response