BACKGROUND
If a customer is using secure boot, they'll most likely need to enroll additional public keys (eg. to verify signed kernel modules used by 3rd party security software). Currently, the recommended procedure [1] is manual and there's no easy way to automate it. If we can provide such a feature in Image Builder, it might benefit its adoption, in particular considering the push towards better security we're seeing these days (eg. the NIS2 directive adoption).

SUGGESTION
A potential implementation could be to add an additional customizations directive in the Blueprint (eg. customizations.secureboot.import_keys).
The new directive would take in input a list strings containing the path the public keys to import (similarly to what the customizations.rpm.import_keys already does).
osbuild would then enroll the uploaded keys to the MOK list at build time.

[1]: https://docs.redhat.com/en/documentation/red_hat_enterprise_linux/9/html-single/managing_monitoring_and_updating_the_kernel/index#enrolling-public-key-on-target-system-by-adding-the-public-key-to-the-mok-list_signing-a-kernel-and-modules-for-secure-boot