Is it possible to boot an unsigned kernel from a signed bootloader?

I am trying to build a tool to allow people to create network-bootable Linux environments. The primary use case is for mass deployment and configuration of end user devices. Most of these devices have Secure Boot enabled with the Microsoft CA. I am pre-supposing that my users will be unwilling to manually enroll another UEFI CA, or deal with all the physical presence stuff for MokManager on what will presumably be 100s or 1000s of devices. I've got the whole process working with Canonical-signed Ubuntu kernels. EFI verifies that the shim is signed by Microsoft, the shim verifies that the kernel is signed by Canonical, the kernel verifies that any modules are signed by Canonical. This works great for Ubuntu-based images, and that might be where I have to leave it. It would be nice though if I could support kernels from any distro, signed or unsigned. At first glance this seems like it is in direct opposition to what Secure Boot is trying to do, but I keep finding sources that indicate that Microsoft only cares about validating code executed before ExitBootServices is called. Indeed that article indicates Canonical's initial plans were to call ExitBootServices in the boot-loader before loading the kernel, relieving the boot loader of any further responsibility to verify code integrity and allowing unsigned kernels to be loaded with Microsoft's blessing. Is calling ExitBootServices early sufficient to get Microsoft's blessing? Are there any signed, not-revoked copies of GRUB that actually do this and allow loading unsigned kernels?