One easy method is disabling Secure Boot option in machine EFI BIOS.
In other way, we can't sign vmlinuz using MOK, because MOK is only a gate keeper for kernel after vmlinuz booting up, and if we want EFI firmware to admit vmlinuz as descendant, we must require the machine manufacturer to sign the vmlinuz we built.
MOK: Machine Owner Key
UEFI: Unified Extensible Firmware Interface
refer to:
https://www.rodsbooks.com/efi-bootloaders/secureboot.html