One implementation I've seen in the wild is: https://docs.nvidia.com/jetson/archives/r36.4/DeveloperGuide...
Secure Boot is still supported in that configuration, but with PK/db/dbx being part of the firmware configuration and updating them requiring a UEFI capsule update.
Add signature checking for grub.cfg (instead of just the EFI shim) but that requires enrolling a local key
Add initrd signatures to grub.cfg
Add signature checking for grub.cfg (instead of just the EFI shim) but that requires enrolling a local key
Add initrd signatures to grub.cfg