I can confirm that building 15.7 from the debian git, using it to
boot (with secure boot off) with the right EFI entry results in
the update going through:
sudo apt-get build-dep shim
sudo apt-get install libefivar-dev # New dependency that apt
won't be aware of yet
git clone https://salsa.debian.org/efi-team/shim.git
dpkg-buildpackage -uc -b
sudo dpkg -i ../shim-unsigned_15.7-1~deb11u1_amd64.deb
sudo mv /boot/efi/EFI/debian/shimx64.efi /boot/efi/EFI/debian/shimx64-154.efi
sudo cp /usr/lib/shim/shimx64.efi /boot/efi/EFI/debian/shimx64.efi
-- reboot into firmware, disable secure boot --
-- boot the Linux-Firmware-Updater entry, let the system update --
-- boot back into debian --
sudo apt-get install shim-unsigned=15.4-7
sudo mv /boot/efi/EFI/debian/shimx64-154.efi /boot/efi/EFI/debian/shimx64.efi
Signing the shim with MOK doesn't work, FYI, I did try that.
Nathaniel Roach