Old hardware?

You may still be able to manually load the new Microsoft KEK into UEFI through the Setup UI even without it being signed by the vendor's platform key. In [1] they have the KEK certificate ("Microsoft Corporation KEK 2K CA 2023") and the Owner GUID that has to be entered into UEFI. I remember doing something similar to make my ThinkPad trust some helper utilities signed by me (I had to add my own signing key to the laptop's UEFI "db").

You may also be able to install the new "db" certificate that Microsoft will likely use to sign shim in the future. In [1] it is the "Microsoft UEFI CA 2023" certificate. This is IMO the more important certificate in the short-term, as adding it will allow you to run newly signed bootloaders. Luckily, this is also the certificate that LVFS can potentially update even without the help from vendors. This is because the update package for this certificate is already published and is signed by the old, commonly trusted Microsoft KEK (see [2]).

[1]: https://learn.microsoft.com/en-us/windows-hardware/manufa...
[2]: https://github.com/microsoft/secureboot_objects/blob/main...