MokManager.efi as a separate binary creates a pile of issues:

• with TPM enabled, we have to reboot after running MokManager, so that the new boot option doesn't have fallback in its history of PCR[7] values
• the workflow is confusing and involves several reboots if more than one component in the boot chain isn't authorized at the start and they aren't signed by the same cert, or the user isn't enrolling that cert
• set_second_stage() has to find it
• people get confused about when and where to put it on various kinds of media

If mok_manager is a function rather than a separate executable, things are better:

• TPM PCRs do not change because of mok_manager() entry
• we can invoke mok_manager() again at any point in the boot sequence
• we no longer have to find it in set_second_stage()
• mokmanager.efi no longer needs to exist in the make files
• it doesn't need to exist on the media
• we don't need to worry about how it's signed/hashed/etc.