I'm author of project which addresses concerns from report for Linux systems: https://github.com/Snawoot/linux-secureboot-kit

It performs bootchain hardening, eliminating any vendor secureboot certificate and replacing with own. Entire bootchain gets signed, including ramdrive and grub configs.