It is currently possible to build a shim with an insecure configuration where NX_COMPAT flag in DllCharacteristics is set but mok_policy does not have NX_REQUIRE flag set.

This should be prevented because such a shim can be booted on NX enforcing firmware and can be used to chainload non-NX binaries and thus becomes an NX bypass tool.