Current state of SecureBoot support

[myxal]

Can someone enlighten me regarding the current state of secure-boot support in iPXE?

I need to boot clonezilla from the network with SB enabled on the machine (to be more specific, I don't care for security, I only need SB to test software on Windows on that machine). With SB enabled in firmware ("BIOS") setup, clonezilla (alternative-stable-amd64, version 20180812) boots from a flash drive, and iPXE loads and shows menu from the network. But trying to boot the same clonezilla version from iPXE results in error 0x7f04818f.
What am I missing?

EDIT: After googling around a bit, I've come with the following understanding:

• Since the machine is in stock configuration, its firmware will only accept boot images signed with MS key.
• The reason booting from a flash drive works is because the shim that is loaded is signed by the above, but the kernel itself (and initrd, presumably) is not, and iPXE tries to load these directly.
• Ubuntu's SB implementation uses the shim to verify Canonical's signature on the kernel.
  

From here, I would try to check what signature is on the clonezilla-alt kernel (Maybe canonical's? Maybe not..), and add keys for those into the firmware DB. Or is there another, simpler way? (I'd like to avoid rolling my own CA and having to sign everything.)