Feature request: warn about writing UKIs to the EFI partition on FDE setups

[Syndace]

This might be a bit of a far-fetched feature request, especially given that the UKI support is considered secondary to this tool, but I'd still like to put it out there and hear your thoughts ^^

When generating a UKI, it might be tempting to put it on the EFI partition, next to the other EFI executables (this is also done in the README example). Doing that, however, can be a major security issue on setups with FDE and encrypted /boot (such as Manjaro by default):

Setups with encrypted /boot usually include a copy of an FDE key in the initramfs, otherwise you'd have to type in your FDE password twice during boot (once for the bootloader to decrypt /boot and once for the kernel to decrypt the drive). The initramfs can safely contain a plain copy of the FDE key since it itself resides on the encrypted /boot. When generating a UKI, the initramfs is bundled, including the plain FDE key. Thus, placing the UKI on the EFI partition effectively means copying an unprotected key for your full-disk-encryption to an unencrypted partition, compromising the whole FDE setup.

My suggestion: on setups with encrypted /boot, warn about writing UKIs to the EFI partition (and maybe suggest putting them under /boot next to the initramfs and vmlinuz files etc. instead).