Dear Maintainer,
I can confirm this issue - after upgrade on 21.06.2021, Secure Boot no longer works. Signing the third party kernel modules reports no problems, but the signed modules are not loaded on boot. Issue appears to be that the MOK isnot available during and/or after boot.
host:/# mokutil --list-enrolled
MokListRT is empty
Downgrading shim by downloading the relevant packages from snapshot.debian.org and rolling back results in a system where the MOK is correctly listed by mokutil --list-enrolled:
host:/# apt-get install shim-signed=1.33+15+1533136590.3beb971-7 shim-signed-common=1.33+15+1533136590.3beb971-7 shim-unsigned=15+1533136590.3beb971-7+deb10u1 shim-helpers-amd64-signed=1+15+1533136590.3beb971+7+deb10u1
After this downgrade, the nvidia driver modules were loaded on next boot. The virtualbox modules could only be loaded after re-signing with the MOK. Once this has been done, the system boots normally on subsequent restarts. Following the same procedure and updating from version 1.33 to version 1.34 showed the same behaviour as for 1.36 - mokutil --list-enrolled reported an empty list.
Best regards,
Gareth