Shim 15.6 fails to load unsigned efi files without .sbat section when enrolled by the hash using MokManager, ending in an endless loop of security violation screens.
The documentation mentions that it should work for db entries, but does not mention moklist hashes:

If a binary is enrolled in db by its hash rather than by certificate, the validation result is logged only, not enforced

This seems like a bug to me.