You have a 3rd option here,
does not involving paying MS money - the same way most Linux distris solve that.
Get an EV certificate from the certificate vendor of your choice and build you own flavor of the SHIM,
this gets to the OSS SHIM approval board, once they greenlight the build process you did - MS will go and sign your SHIM,
you sign GRUB & Kernel with your EV certificate - job done.
SHIM review board and lots of infos on the process can be found here:
https://github.com/rhboot/shim-review
or the variant 4 - which is not super sexy but cheap & cheerful:
Just use a signed SHIM/GRUB/Kernel from a current signed distri of your choice - e.g. taking the Debian LTS Kernel as well as the signed SHIM/Grub from Debian - and you can also happily boot with Secureboot on.
Richie