I was only trying to get this enabled since a recently a linux bootkit supposedly capable of being embedded in motherboard firmware has recently cropped up
The article is ridiculous. If Secure Boot is disabled, all this theater with patching shim simply is not needed. And if attacker added its own certificates to MokList (as implicated by the color of it on this picture), it can invoke arbitrary code and Secure Boot does not protect against anything.
All this article says - if attacker has physical access to your system, attacker can install and do almost anything on your system.
I have one machine using TPM2 and measured boot running Aeon, secure boot is disabled, seems to work fine, but it’s a MiniPC and not going anywhere… Other machines have it off…