I am not sure, but this might be something interesting:
Potential new signing strategies ( for example signing grub, fwupdate and vmlinuz with separate certificates ) require shim to support a vendor provided bundle of trusted certificates and hashes, which allows shim to “whitelist” EFI binaries matching either certificate by signature, or hash in the vendor_db. Functionality is similar to vendor_dbx ( vendor blacklist ).
https://github.com/rhboot/shim/commit/bd89dabf5fc767e3824fd8b9e94b044cdb578fb1
There are probably many other more interesting checkins to this important codebase:
Firmware Security 