Comment 4 for bug 1187233

It seems,
The shim installs the UEFI protocol in shim.c
EFI_STATUS efi_main (EFI_HANDLE image_handle, EFI_SYSTEM_TABLE *passed_systab)
{
        ...
 shim_lock_interface.Verify = shim_verify;

        ...
 uefi_call_wrapper(BS->InstallProtocolInterface, 4, &handle,
     &shim_lock_guid, EFI_NATIVE_INTERFACE,
     &shim_lock_interface);
}

And the grub used the protocol to very the signature, but stopped in the second call.
in grub loader/i386/efi/linux.c
if (shim_lock->verify(data, size) == GRUB_EFI_SUCCESS)
    return 1;
  grub_dprintf ("linuxefi", "Asking shim to verify kernel signature\n");
  status = shim_lock->verify(data, size);
  if (status == GRUB_EFI_SUCCESS)
    {
      grub_dprintf ("linuxefi", "Kernel signature verification passed\n");
      return 1;
    }

  grub_dprintf ("linuxefi", "Kernel signature verification failed (0x%lx)\n",
  (unsigned long) status);
   return 0;