make VENDOR_CERT_FILE=microsoft-uefica-public.cer DEFAULT_LOADER=PreLoader.efi

Then I got a shimx64.efi. It loads PreLoader.efi as default instead of grubx64,efi.

However, it cannot be loaded under secure boot.

What I did is wrong?
Is there something that I haven't done?

Hi, did you have correctly sign your PreLoader.efi like grubx64.efi ? Or did you correctly enroll key ? If you trace codes, it might get failed in :

init_grub() -> start_image() -> handle_image() -> verify_buffer() -> verify_buffer_authenticode()

I copy mmx64.efi there, too.

The shimx64.efi I've made, cannot be loaded by UEFI firmware.

It won't load signed mmx64.efi.

The shimx64.efi I've made, cannot be loaded by UEFI firmware.

Please check whether your firmware has the corresponding public key, for example Microsoft key, can verify your shimx64.efi during the chainload. Thanks.

Are you from Taiwan?
May I speak zh_TW to you?
Which chat app do you use?
May I add you?
I don't want to chat here.

This sounds like a failed BIOS check shim.You can disable secure boot to confirm that shim validation has failed.
Alternatively, run the ’pesign -S -i shimx64.efi’ to check the signature of the shim and check whether the corresponding public key exists in the BIOS.
If you can load shim, you can open the log using ‘mokutil --set-verbosity true’.