systemd-boot can be used to replace grub as bootloader. This works fine if kernels are manually added as entry when the kernel updates. To support secureboot with fedora / systemd-boot two things are required, this report is for 1) 1) Sign systemd-bootx64.efi with fedora keys so systemd-boot can load.
I have no idea how this would work. I see grub2 calls pesign during build that does some smartcard callout. I guess we'd need something similar. If someone who knows how this works can help with the implementation, I'd be happy to provide such signatures.
Wouldn't it be enough to include BuildRequires: pesign and use pesign macros like in grub?
I have done additional research and it was mentioned on github:/systemd that systemd-boot itself is not designed to be signed. The title of this issue should be rather that shim is not working nicely with systemd-boot
After further discussion it seems shim will never play well with systemd-boot, neither does it support to be signed. If one wants to use systemd-boot with secureboot, the efitools are required which are not packaged in fedora: https://bugzilla.redhat.com/show_bug.cgi?id=1891465