Can someone explain why the following won't work (it seems too obvious):
1. Write a minimal UEFI bootloader, signed by the keys, and available
to everyone as a binary blob.
2. That bootloader's job is to chainload Grub. (possibly verifying Grub's image).
3. Grub then does whatever it wants to.
It seems that this would work, provided that key revocation can only be authorised by the author of the bootloader. If I say my bootloader is working as I designed it (even though that design is intended to chainload Grub and bypass the security misfeature), can a 3rd party revoke my key?