in regards to secure boot with multiple keys: the short answer is that it will not work. there are counters in use which will not match up between the two keys even though the private key is the same. the solution I am using is in the case of losing the primary key I reset the HOTP secret with the backup librem key in order to bring it into service.