While that meant dealing with Microsoft, it was as Garrett had written earlier, “Easy enough for us [Red Hat] to do, but not necessarily practical for smaller distributions.” It’s also, as The Linux Foundation has found, in its so-far failed attempts to obtain a universal Secure Boot key for Linux distributions, really not that easy at all.
What Garrett has done with his shim approach is to create a signed boot-loader that can add keys to its own database. This is built on SUSE’s bootloader design. In the SUSE design, the boot-loader has its own key database, besides the UEFI specification’s key database. The SUSE boot-loader then executes any second-stage boot-loaders signed with a key in that database. Since the boot-loader is in charge of its own key enrollment, the boot-loader is free to impose its own policy, including enrolling new keys off a Linux distribution’s installation file-system.