Secure Boot with grub and no third party keys

Two common ways to do Secure Boot are: 1. EFI -> shim -> grub -> kernel 2. EFI -> UKI I want to keep grub, but discard all third party keys and use my own. One option would be to recompile shim with only my keys, but it seems more straightforward to do a simpler boot chain of EFI -> grub -> UKI. So far I have:

# Install GRUB with the modules embedded
grub-install --target=x86_64-efi --efi-directory=/boot/efi --boot-directory=/boot/efi/boot \ 
 --modules="normal probe part_gpt part_msdos ext2 search fat lvm luks tpm mdraid1x mdraid09 raid5rec raid6rec all_video gzio datetime chain loadenv configfile test linux ls echo cat help" \ 
 --no-floppy --uefi-secure-boot --force-extra-removable --disable-shim-lock

# Sign with self-generated and enrolled key
cp /boot/efi/boot/grub/x86_64-efi/grub.efi /boot/efi/EFI/BOOT/
cp grub.cfg /boot/efi/EFI/BOOT/grub.cfg
sbsign --key MOK.key --cert MOK.crt --output /boot/efi/EFI/BOOT/grub.efi /boot/efi/EFI/BOOT/grub.efi
sbsign --key MOK.key --cert MOK.crt --output /boot/efi/EFI/Linux/vmlinuz.efi /boot/efi/EFI/Linux/vmlinuz.efi

efibootmgr --create -l '/EFI/BOOT/grub.efi'

# grub.cfg
chainloader /EFI/Linux/vmlinuz.efi
boot

This setup boots, but grub does not check the signature of the UKI. It can also probably be convinced to dynamically load unsigned modules. What do I need to do in grub.cfg to allow proper Secure Boot without shim? Is this even a reasonable thing to do, or must I always use shim to properly populate the PCRs?