(no title)

Shim is there for Secure Boot. Microsoft refused to sign grub (GPL-3), but signed the shim (BSD-2), so shim has its own key store and verifies grub signed by respective distros.

If you don't use Secure Boot, UEFI firmware can boot directly to grub.

You can technically do away with GRUB or similar, too, and have the UEFI boot directly the kernel+initrd image via efistub.

This will, of course, not be signed by MS, so if you use SecureBoot, you need to handle your own signing. Set up is not automatic AFAIK, but once you've created your keys, signed MS's boot key (if you need dual boot), replaced the UEFI's key with yours and set up your package manager to sign every kernel update, everything works well enough. Haven't had a single issue with this in 4 years of running on "enterprise" HP laptops.

When using UEFI secure boot you typically boot into the shim (signed with a certificate OOB-trusted on almost all PCs), which verifies the integrity of grub and then passes on control to that.

Without secure boot, I don’t think there is any need for the shim, but if it’s still used or not in those cases, I do not know.