The gist here is that shim's load_image()/start_image() and verification protocol could be much more straightforward:

1. when shim starts, it should replace BS->LoadImage(), BS->StartImage(), BS->Exit(), and BS->ExitBootServices() with its own, like replacements.c does now
2. the replacement should transparently enforce the verification protocol
3. load_image() should install a handle on each EFI_LOADED_IMAGE it returns to identify that it was created by this particular instance
4. the handle guid should be generated at runtime using a SHA2 digest of some load address, so that stacked invocations are separate
5. start_image() should look for the handle, and if it's not there (meaning this EFI_LOADED_IMAGE was not created by this instance of shim's load_image()), defer to the start_image() implementation it replaced at startup
6. shim also needs to register a protocol with a well known GUID that has these functions in it, so that a nested shim invocation can defer to using them safely rather than installing its own.
7. it may be useful to also implement a UEFI volatile keys protocol, so consumers can register their own trust anchors during the boot sequence.