@ethan.hsieh That error message is unexpected, but it doesn't matter too much anyway - there's no support at all for computing PCR digests for systems that boot kernels that are verified with a MOK. The only way to test kernels signed with non-production keys is to take control of the device's signature database (delete the platform key and enroll your own db, KEK and then enroll a custom PK to re-enable secure boot).
@ethan.hsieh That error message is unexpected, but it doesn't matter too much anyway - there's no support at all for computing PCR digests for systems that boot kernels that are verified with a MOK. The only way to test kernels signed with non-production keys is to take control of the device's signature database (delete the platform key and enroll your own db, KEK and then enroll a custom PK to re-enable secure boot).