New comment by andkem on void-packages repository

https://github.com/void-linux/void-packages/issues/12495#issuecomment-503266530
Comment:
I have a concrete suggestion for solving this.

1. We can modify the grub template and add a grub-x86_64-secure-boot_package() section that carries dependencies on the EFI signing tools. 
2. This package could install a script in /usr/bin called grub-mksigned that takes a GPG ID and the path to EFI keys as well as the path to an initial Grub config. An example configuration could be provided under /usr/share/examples/grub
3. To generate EFI keys, a script called grub-mkefikeys (names are mere suggestions) could be provided that takes a path where it puts generated keys. It could also output instructions on importing them into the EFIs key storage (pretty much the keygen.sh script in the linked tarball).

The Grub generation only has to be done once (unless you change keys) and I don't feel it would be reasonable to have it as a manual step to be able to provide your own keys and custom configuration.

As for the kernel, in this model it would be signed using the correct GPG-key. One could provide a post-install hook that runs after Grub configuration has been generated and gets the GPG ID from a configuration file under /etc/defaults and signs kernel, initramfs and Grub config using that key.

One thing I'm a bit unsure about is how to modify the generated Grub configuration without being too invasive as it could be desierable to have the --unrestricted option on a kernel you want to boot to avoid having to type passwords twice.

This is simply an attempt at a concrete suggestion if one wishes to use the Grub model to give us more of a seed for discussion.