Why would anybody revoke Fedora's UEFI bootloader signature? Presumably it's small and simple enough not to be exploitable itself.
One needs to distinguish between the initiall small bootloader, signed by M$/Verisign, and everything else, which will be signed by Fedora.
If some security-circumventing bug is found, there are a couple of options:
* store a list of hashes in the kernel, modules having that hash being forbidden to load.
* Use a sub-key for signing modules / the kernel; if buggy, revoke that subkey, distribute another one, distribute new signatures for non-affected parts of the system. This probably boils down to "don't trust any subkey created before <date>".
* Build a new mini-bootloader that only knows a new Fedora key, and install that. Ship new signatures for GRUB, the kernel, and all modules.
In none of these scenarios is there any possibility of the system being non-bootable – the running system can easily verify that there signature chain is unbroken before rebooting.