Description of problem:
In order to create an UKI, RHEL currently uses dracut to pack initrd, systemd-stub and vmlinux all together.
In addition to these sections, we also need a .sbat section to support the SBAT mechanism that is used to revoke UKIs that contain security issues. More info about SBAT here: https://github.com/rhboot/shim/blob/main/SBAT.md

We need to update dracut to include this PR https://github.com/dracutdevs/dracut/pull/2426 so that it is able to automatically take a sbat section from vmlinux and systemd-stub and merge them in a new UKI sbat section. More infos in the PR.

Version-Release number of selected component (if applicable):

How reproducible:
100%

Steps to Reproduce:
1. clone systemd repo && make sure packages shim efibootmgr kernel-uki-virt are installed
2. compile systemd stub (mkdif build && ./configure -Dbootloader=true && make)
3. generate UKI with dracut (dracut-virt.conf is taken from https://gitlab.com/redhat/centos-stream/src/kernel/centos-stream-9/-/blob/main/redhat/dracut-virt.conf)

dracut --conf=/root/dracut-virt.conf --confdir=$(mktemp -d) --verbose --kver 5.14.0-284.el9.x86_64 --kmoddir=/lib/modules/5.14.0-284.el9.x86_64/ --uefi --kernel-image=/boot/vmlinuz-5.14.0-284.el9.x86_64 --kernel-cmdline "console=tty0 console=ttyS0 $CMD_LINE" --uefi-stub /mnt/systemd/build/src/boot/efi/linuxx64.efi.stub --force /boot/efi/EFI/Linux/$EFI_FILE

printf "\\\EFI\\\Linux\\\\${EFI_FILE}\0" | iconv -f ASCII -t UCS-2 > /tmp/bootarg
efibootmgr -c -d /dev/vda -p 2 --append-binary-args /tmp/bootarg -L $EFI_NAME -l "\EFI\redhat\shimx64.efi"

4. check that the UKI has a .sbat section and the section contains 1) the sbat generic string, 2) systemd-stub sbat version, 3) eventually vmlinux section if there is one.

Also test with --sbat "some sbat string" added to dracut in step 3 and verify in step 4 that it is present in the UKI too

objcopy -O binary --only-section=.sbat $EFI_FILE sbat_output.txt