I have a problem with secure boot. I build a Debian live image and set up a NFS server. On the local machine's ESP partition are the kernel, initramfs, shim, Mok Manager, systemdboot. If I start without secure boot enabled everything is working. With secureboot I get a security violation loading the kernel (vmlinuz). The systemdboot efi is signed with my own MOK key and is loaded correctly. The shim I use is the one provided by debian. The Kernel is signed by Debian, tested with sbverify. The Debian MOK key is deployed on the local machine, tested with mokutil.
Does anyone has an idea why this is failing or has an idea for troubleshooting?