UEFI Secureboot with iPXE (selfsigned db,pk keys or shim + company cert signed by M$)

[Torgeir]

Hi!

If we assume the following scenario to be true:
"Someone got Micro$oft to sign a ipxe.efi file so we could use ipxe.efi with full secureboot=on support (stock M$ uefi certificates in firmware)."

From within ipxe, we would not be able to start any linux installations the way we're used to, in other words this would not work:
initrd http://192.168.1.100/rhel72/images/pxeboot/initrd.img
chain http://192.168.1.100/rhel72/images/pxeboot/vmlinuz initrd=initrd.img inst.repo=http://192.168.1.100/centos7/

Because these linux kernels are not signed by Microsoft, only Red Hat.
I do understand that by adding our own selfsigned keys to UEFI firmware (db,kek,pk), and sign everything ourself it works as expected (I have that tested to be true, and it works fine).

But could it be possible for iPXE to work together with shim (first stage bootloader), as shim+grub works for Red Hat/Fedora and ubuntu?
If we got Microsoft to sign our own custom shim, with our company cert (VENDOR_CERT_FILE), then iPXE would have to have to do some "shim_lock|verify" function as grub does. Could this work?

(The idea is to just use stock uefi firmware keys, so we don't need to install our own uefi keys in db,kek,pk).

--
Torgeir