To my knowledge that's not possible with the Microsoft bootloader, you need to use Microsoft's keys, hence why I am suggesting that this open source bootloader could be useful. Can you provide some more information about such a setup?
- Remove all keys (switch to Setup mode)
- Setup your own PKI and platform keys
- Sign hash of specific EFI files and load those signatures into EFI
The last part doesn't require modifying files themselves, as you're locking specific files. The firmware will make a hash of the file, and verify that it's on permitted list (the list is signed)
I feel like this was a toy/thought experiment that turned into learning a lot about Windows, EFI, bootstraping, etc.
Why not copy as many files as possible with windows, and then go to Linux to copy the last few?
Nice experiment, anyway.