bootctl: Only create loader/keys/auto if required

systemd-boot uses the existance of loader/keys/auto to determine
whether to auto-enroll secure boot or not so only create the directory
if we're actually going to put auto-enroll signature lists in it.

src/bootctl/bootctl-install.c

@@ -299,7 +299,6 @@ static const char *const esp_subdirs[] = {
         "EFI/BOOT",
         "loader",
         "loader/keys",
-        "loader/keys/auto",
         NULL
 };
 
@@ -615,6 +614,10 @@ static int install_secure_boot_auto_enroll(const char *esp, X509 *certificate, E
                 return log_error_errno(SYNTHETIC_ERRNO(EIO), "Failed to convert X.509 certificate to DER: %s",
                                        ERR_error_string(ERR_get_error(), NULL));
 
+        r = mkdir_one(esp, "loader/keys/auto");
+        if (r < 0)
+                return r;
+
         _cleanup_close_ int keys_fd = chase_and_open("loader/keys/auto", esp, CHASE_PREFIX_ROOT|CHASE_PROHIBIT_SYMLINKS, O_DIRECTORY, NULL);
         if (keys_fd < 0)
                 return log_error_errno(keys_fd, "Failed to chase loader/keys/auto in the ESP: %m");
@@ -1287,6 +1290,10 @@ int verb_remove(int argc, char *argv[], void *userdata) {
                         r = q;
         }
 
+        q = rmdir_one(arg_esp_path, "/loader/keys/auto");
+        if (q < 0 && r >= 0)
+                r = q;
+
         q = remove_subdirs(arg_esp_path, esp_subdirs);
         if (q < 0 && r >= 0)
                 r = q;