From what I can understand Debian uses a generic shim that is signed with Microsoft’s keys and then it delegates the rest to the system. Apparently this is a fast way to get secure boot to work but “SHIM only checks signatures of the boot loader and kernel, but not the GRUB config file or initramfs, which opens your machine to attacks”. This is why I was looking for a more detailed guide from someone who actually understands this from start to end.