I simply do not understand the rationale for not requiring signed kernels and kernel drivers. This seems to defeat the whole point of secureboot. As soon as a signed bootloader allows you to load an unsigned blob..game over.
This is sort of the whole point of the revocation process isn't it? Once a signed bootloader is compromised to allow it to run verified blobs..you revoke the key and prevent the signed bootloader from operating on that system.
You might as well just disable secureboot and be done with it if you are going to use a Microsoft signed bootloader that allows anything to be loaded.