While hacking on sd-boot, I've noticed that the shim lock protocol vanishes after the first successful StartImage() or one that does return a positive return value that isn't in EFI_ERROR range. This makes MOK-signed drivers launched manually by sd-boot pretty unusable as any follow-up kernel image cannot be launched then. This would also prevent falling back to a different boot entry on error not work either.

I think that sd-boot could work around this by caching the shim lock protocol pointer and the replacement StartImage/LoadImage (haven't tried that yet, and I'm not sure if this is how it's supposed to be done). But I still think this is an oversight on shim's side.