mount_option_boot_efi_nosuid is notapplicable during OSBuild remediation on an UEFI system

[comps]

Description of problem:

Remediating ie. stig using OSBuild (Image Builder) via an oscap-generated Blueprint, which contains

[customizations.openscap]
profile_id = "xccdf_org.ssgproject.content_profile_stig"
...

on a Secure Boot (UEFI) virtual machine results in

Remediating rule 255/491: 'xccdf_org.ssgproject.content_rule_mount_option_boot_efi_nosuid'
Remediation is not applicable, nothing was done

however a subsequent scan on a booted system fails, so it clearly is applicable there.

Is it possible that the efi partition is being added late in the process, so oscap remediation doesn't see it?
Maybe some other reason?

AFAICT - OSBuild does build an UEFI-capable qcow2 image, so it does work in both legacy BIOS and UEFI modes, but maybe oscap remediation doesn't try to remediate both ... ?

mount_option_boot_efi_nosuid seems to be using the standard mount_option template, nothing super custom.

SCAP Security Guide Version:

master @ b79ef87

Operating System Version:

RHEL-8, RHEL-9, probably RHEL-10 too

Steps to Reproduce:

1. oscap xccdf generate --profile stig fix --fix-type blueprint datastream.xml
2. Build a qcow2 image via OSBuild, using the generated blueprint
3. Import it via virt-install, but add --boot firmware=efi,loader_secure=yes to the virt-install CLI to make it create an UEFI / Secure Boot VM
4. Boot and try oscap xccdf eval, the fail should be there