Bug#928300: secure boot via removable media path unavailable
I know that this bug is not closed yet, but maybe the following is of interest for you.
I noticed your report of bug #930531 which was recently fixed in grub2 version 2.02+dfsg1-19. Thus, I decided to give secure boot another try on my Intel DH77KC board. Meanwhile grub2 2.02+dfsg1-20 was installed on my system.
So what I did is
$ apt-get install shim-signed grub-efi-amd64-signed
(and automatically all deendencies). Then, to be sure,
$ dpkg-reconfigure grub-efi-amd64
of course with force_efi_extra_removable set to/left on true.
$ shutdown -r now
Then I turned secure-boot on within the mainboard's UEFI Firmware. However, the system then won't boot and shows an error message about security violations. Pretty the same as with my first tries, which led to the initial posting. (A Windows media can be booted in secure mode.)