Comment 13 for bug 1890672

using shim does not require using microsoft keys.

you can use shim, signed with your own key and empty db, and distrusted canonical ca as I have pointed out above, or like configure shim to disable validation altogether.

I repeat _microsoft keys are not required_.

What is required is for shim apis to be available to grub.

This way grub can assert that it is enforcing whatever policies you want to be enforced, including skipping signature validations via shim, even when booted under secureboot when configured using `mokutil --disable-validation`.

We must check that shim api is present to ensure that shim set policies are enforced and honored (which for you deployment will mean, to ensure that shim validation is _not trusted_).