Just had an interesting experience installing Debian bullseye on a Lenovo Thinkpad P14s Gen 3.
I tried to PXE boot the Debian installer and could see in the tftp server log that the Thinkpad loaded the shim, but nothing more. It just jumped back to the PXE boot menu. After several failed attempts, I was ready to give up and just disable secure boot. So I entered the BIOS settings. But in the Secure Boot page there I noticed an unknown (to me) new setting, which was disabled by default: "Allow Microsoft 3rd Party UEFI CA" I enabled it and tried PXE booting the Debian install again. And voilà - the shim ran and loaded grub etc as it should. So to anyone struggling with secure boot: Look for this setting or something similar in the BIOS. They've obviously found a new way to break secure boot by default. Bjørn
