verifiedBootKeys

Configures which verified boot keys are accepted while requiring a locked bootloader. The default is VerifiedBootKey.OEM, which accepts vendor-managed VERIFIED boot without checking a custom digest. Additional VerifiedBootKey.Digest entries allow matching explicit SELF_SIGNED verified boot keys by digest. Combining VerifiedBootKey.OEM with digest entries accepts both vendor-managed VERIFIED boot and explicitly whitelisted SELF_SIGNED keys. Omitting VerifiedBootKey.OEM accepts only explicitly whitelisted SELF_SIGNED keys. This check is only meaningful when allowBootloaderUnlock is false, because verified boot state and verified boot key digest checks are skipped when unlocked bootloaders are allowed.