Comment 15 for bug 1939565

A signed kernel module and a signed kernel have different security properties: a signed kernel has access to the firmware state prior to calling ExitBootServices, a module does not. So, no, this implementation in the shim package which was implemented specifically to support dkms modules should not be changed to support signing kernels.