I do not think this should be done, it would make it difficult if not impossible to boot custom kernels. For your own use, you could always build your own signed kernel and add the signing key to the UEFI firmware, or turn off SecureBoot altogether. However, for authors of Debian-based live systems like I am (www.discreete-linux.org), we need a way that will boot the live system on as many computers and platforms as possible without user interaction, including those users which regulary use only windows, and including platforms like Intel-based Tablets/Detachables which often do not allow to turn off Secureboot. Our live system requires a special kernel to work, it cannot work with any generic kernel/initrd signed by Debian.
UEFI/SecureBoot specs do not require to keep the chain of signatures through to the kernel/initrd, it is optional. There should at least be a choice by providing two packages, one which allows booting unsigned kernels and one which doesn't. Or we can find a way for projects to get their kernels and/or own grub signed by Debian.
signature.asc
Description: OpenPGP digital signature
