New Feature: Enable the default generation and installation of a user-controlled KEK

[pbatard]

Stemming from https://techcommunity.microsoft.com/blog/windows-itpro-blog/advancing-windows-driver-security-removing-trust-for-the-cross-signed-driver-pro/4504818 and especially the part that states:

Customers with confidential or internal-only driver scenarios, who have control over the UEFI Secure Boot authorities , can use this new feature to allow custom signers not trusted in the Windows kernel by default. The App Control policy enables customers to run privately signed drivers on enrolled systems without degrading security. The policy must be signed by an authority in the device’s Secure Boot Platform Key (PK) or Key Exchange Key (KEK) variables to ensure the policy is applicable to only their environment. By default, Application Control policies are designed to restrict the default kernel policy. When these policies are PK or KEK signed, kernel trust can be expanded to trust components and certificates otherwise not trusted in Windows.

As explained in pbatard/libwdi#289 (comment), we may therefore want to automatically create and install a user-controlled KEK, like we do for the DB to let users sign their own bootloader for Secure Boot, which they could then use to sign their own Windows kernel drivers, and have them trusted by Windows.