Currently, the choice in terms of Secure Boot certificates that are available to a freshly booted VM is binary:

• OVMF_VARS.fd contains none;
• OVMF_VARS.secboot.fd contains the Microsoft certificate that is also present on physical hardware.

It should be possible for users to enroll their own certificates. There are three use cases that I'm aware of:

• further locking down Secure Boot by not enrolling Microsoft's certificate, which would allow booting Windows as well as any signed distro, and instead enrolling just the certificate needed for the specific OS one intends to run;
• supporting self-signed UKI addons;
• booting self-signed kernels.

For the last two scenarios, the user will have generated the certificate themselves and will provide it to libvirt directly. For the first scenario, we probably want to add certificates to libosinfo and have tools such as virt-install automatically obtain the information and provide it to libvirt based on the value passed to the --osinfo option.

In terms of XML, this could probably look like

<os firmware='efi'>
  <nvram>
    <enroll>
      <certificate>...</certificate>
      <certificate>...</certificate>
    </enroll>
  </nvram>
</os>

Certificates are usually in PEM format, which means that they're multi-line values. We will need to figure out a way to either accept them as-is, or to convert them to single-line values without causing too much inconvenience to the user.

In terms of actually enrolling the certificates, we will use the virt-fw-vars tool behind the scenes. Just as is already the case, the varstore will only be (re)generated the first time the VM is booted or upon an explicit request by the user (virsh start foo --reset-nvram).