The db/dbx/KEK/PK chain you're modeling is exactly what let CVE-2020-10713 ('BootHole') bypass Secure Boot through a buffer overflow in GRUB2's config parsing, forcing every major Linux distro to rotate their Microsoft-signed shim. Understanding revocation via dbx is also why a perfectly valid Ubuntu ISO can suddenly fail to boot after a firmware update pushes a new blocklist.