Dual System Secure Boot (Gentoo+Windows), shim vs non shim

[nxe9]

Hi, I am considering secure boot on a dual system (gentoo + win11). I have read few articles and I want to make sure I understand the difference between shim and non shim secure boot in terms of security specifically with reference to one example.

Let’s assume we have a malware on our system which interfered with our boot binary. Let's assume that our private keys are well secured and the malicious actor has no access to them. In the case of non shim, for the system to boot the malware would have to modify the uefi db data. In turn, to do this, you would need a private key PK/KEK (which is not available) or resetting the PK (setup mode) and uploading your own, which would require running UEFI, i.e. physical access to the computer. In this case, the malware would not harm us regarding the boot process.

In the case of shim, the MOK list is modified. Since the MOK list is not stored in UEFI memory, malware could modify not only our boot binary, but also the MOK list without having physical access to the computer, which would make it possible to start the system with replaced boot components. As a result, the safety associated with shim is lower than non shim.

So what are the benefits of shim? From what I understand, there is no need to backup old, delete old and generate new keys and create a compound (old+new) because the shim is signed with a Microsoft certificate. However, we do this at the expense of security, because we transfer some public keys to the operating system level.

Is everything I wrote correct?