Executable programs of any type may be digital signed to confirm their authenticity. To confirm a file is authentic, it must possess:
1. A secure signing certificate which states the signer's identity, and their Certificate Authority if they're using one. This certificate can be confirmed by comparison against a previously stored copy of the signature (from a secure certificate store), or by remotely consulting the Certificate Authority.
2. A digital hash (or checksum) is computed from the bytes in the program contents, and using the signing cert. If the file hash doesn't match what is provided in the signature header, it is considered tampered with and untrustworthy.
If your UEFI is in Secure Boot mode, it will check the boot loader's signature and see if the file's certificate is already trusted, because it's stored in the UEFI's list of Secure Boot keys. Secure Boot keys can be factory issued in the firmware, added from the BIOS menu, or appended from Windows.
When Secure Boot mode is disabled, there is no enforcement of the signature. Any trusted or untrusted boot loader works. An untrusted file might be an unsigned file, or a file signed by a key which your UEFI doesn't currently trust.
The normal Windows boot manager (or loader) is bootmgfw.efi, located on the EFI partition. Currently, there are two versions of the same Windows boot manager, one signed by the older Windows UEFI CA 2011 cert and one signed by the newer Windows UEFI CA 2023 cert. For booting off an USB drive, the boot manager is bootx64.efi.
Windows keeps the copies of the two versions under:
2011: \Windows\Boot\EFI
2023: \Windows\Boot\EFI_EX
Linux boot loaders have the option of signing their boot loader (or a shim) using the Microsoft (not Windows) UEFI cert, or providing their own Secure Boot signing keys. The reason many distros use a MS provided cert is because OEM's don't want to include every Linux distro's unique signing certs in the BIOS, and it's just easier for them to provide the one MS UEFI cert.
A boot shim is a two step loader where the first boot loader is signed by a known key (ie. Microsoft UEFI), and then it immediately chains a second boot loader which does the actual work. This allows the first loader (shim) to be static, so it doesn't need to be re-signed whenever changes to the boot loader are needed.
You could write your boot loader, and use a self-signed cert to sign it. After importing your cert to the UEFI (in the right key format), then it can be added to the list of trusted keys.
