On most laptops it is possible to set the boot devices to prevent booting from external devices (such as USB). If you do that then only the installed OS would be allowed to boot. This should take care of the desire to only allow fedora to boot.
The default keys within the bios would be the correct ones since the fedora kernel/boot loader is already signed with an approved key within that list and fedora uses secure boot regularly.
If I understand correctly Kinoite requires secure boot by default. (I may be wrong with that since I do not use Kinoite)
It would be required, I thought, to enrol the key of the OS you wish to secure boot. So it is the same key that get’s enrolled when you install Fedora (whatever variant) as a secure boot setup. I don’t see the problem with adding it after the fact by enrolling , it resides in the shim as @vekruse noted.
The bios already contains the keys.
The shim used to boot fedora is signed by that key.
As implied in the discussion above, fedora is properly signed, the key is already enrolled in the bios, and the user needs to do nothing more than to boot and install fedora by default. It seems you are misreading whatever instructions are in front of you.
Yes, an os must have signed modules (the shim) to load the kernel when secure boot is enabled.
Fedora already meets that requirement and has for several release versions. Nothing more needs to be done.