Hardening startimage:
- Don't allow non-participating bootloaders/kernels to call
  ExitBootServices(), but trap in StartImage() so we can let them do
  that.
Versioned protocol:
- Make shim and the bootloaders using it express how enlightened they
  are to one another, so we can stop earlier without tricks like
  the one above
MokListRT containing shim key:
- MokListRT has to contain the shim key...
MokListRT signing:
- For kexec and hybernate to work right, MokListRT probably needs to
  be an authenticated variable.  It's probable this needs to be done
  in the kernel boot stub instead, just because it'll need an
  ephemeral key to be generated, and that means we need some entropy
  to build up.
Better ui:
- Gary Lin at SuSE is working on better UI for MokManager.  It
  desperately needs it.
James's modification:
- We're merging James Bottomley's hack to make shim use unpublished
  system crypto services, as a compile time option.
New security protocol:
- TBD
kexec MoK Management:
Modsign enforcement mgmt MoK:
- This is part of the plan for SecureBoot patches.  Basically these
  features need to be disableable/enableable in MokManager.
Variable for debug:
- basically we need to be able to set a UEFI variable and get debug
  output.
Db key mokutil config:
- Asked for by Mimi Zohar: An (on/off) option that would prevent the shim
  and the kernel from trusting keys listed in 'db' and only use those coming
  from the MOK List.
Hashing of option roms:
- hash option roms and add them to MokListRT
- probably belongs in MokManager