Comment 2 for bug 1797011

THe principal feature we need here is --export; which will allow us to export keys from the firmware and compare kernel signatures to figure out whether kernels are signed with trusted keys, which will improve the experience on upgrades from previous releases. This is especially relevant in the event someone installs a package from the kernel PPA and re-signs it (or imports the certificate) to keep Secure Boot validation enabled.