I am doing some investigation on secure boot features. I got the overall understanding of how trust chain from firmware all the way to kernel modules.
Basically how bootloader, shim.efi, grubx64.efi care chain signed.
For shim.efi, grubx64.efi I did some own experimental verification to see how it is signed.

For that I wrote simple python script that extracts certificate (public part) from its blob and display it. My python script works on these modules because those *efi files are PE/PE+ compatible module. Therefore I can see the public part of cert-s embedded in those blob.

However I grabbed some of the ko modules from linux using lsmod, modinfo and when try to parse using some scripts, it does not work. Apparently the linux ko files are not PE/PE+ compatible. Can someone shed some light on how these ko modules are built? Thanks.,

Did you read Kernel module signing facility ?

And maybe also, rebuild your kernel without modules you don't need.