There’s a few ways you could accomplish this, but I’m not aware of any “built-in” mechanism.
To get you started, I’d take a look at the implementation of these:
The built-in version refers to database variables, but you could easily write your own that just referred to PCDs for PK and KEK (in the AuthVariableLib) and db,dbx (aka, EFI_IMAGE_SECURITY_DATABASE and EFI_IMAGE_SECURITY_DATABASE2 in DxeImageVerificationLib).
From: Vu Dinh via groups.io<mailto:firstname.lastname@example.org>
Sent: Tuesday, April 6, 2021 7:58 AM
Subject: [EXTERNAL] [edk2-discuss] Customize Secure Boot Configuration
I'm currently developing UEFI payload with Secure Boot enabled. I want
to customize Secure Boot configuration (PK, KEK, DB, DBX) at build time
of Edk2 instead of changing Secure Boot in BIOS Setup.
Please tell me what should I do to customize Secure Boot configurations.