Goal

• Historically edk2 did not enforce secure boot verification for kernels passed from qemu for direct kernel boot. This is going to change and virt-install must be adapted to make sure secure boot installs continue to boot.

Possible approaches:
(1) probably simplest: pass shim.efi binary in addition to the kernel, via <shim/> next to <kernel/> in libvirt xml.
(2) rethink network install workflow, use boot.iso + OEMDRV image with kickstart file.

Turning secure boot off (temporarely) is an option too, possibly depending on libosinfo hints.

Maybe it makes sense to turn off secure boot by default for all distros which are EOL, I expect older fedora install images will not boot with secure boot anyway due to shim binaries with known security bugs.