FTR: NSA says[1] that most UEFI implementations only support one hash,
which might be the first one or a random one, and upstream confirms that
to some extent - PE 8.3 not having a coherent spec for alignment or
padding of signatures, causing incompatibilites - so that seems like a
no-go anyway.
Because there is concrete risk of regression that depends on hardware-
specific testing, I do not think this is appropriate for an FFe. The
dual-signed object is available and particular system configurations can
manually opt into it but we should not, during feature freeze, push this
out to all
