The simplified way of how Secure Boot works is you have a bunch of public keys stored in the UEFI, and you can sign .efi executables with the private key. If the signature of an executable is invalid or the file has been tampered with, UEFI refuses to run it.

Now, every computer sold nowadays comes with Microsoft’s keys pre-installed, one for Windows and one for stuff that Microsoft deems worthy of signing.

One of those things is shim, it’s signed with one of Microsoft keys and it looks for the MOK database to see what it can boot or not.

But you don’t have to use Microsoft keys, you can make your own, put it in your UEFI and sign your stuff. That’s why UKI is useful, it’s a single EFI file you can sign. You can even sign your bootloader, like systemd-boot. The Secure Boot Arch Linux Wiki link contains information of how to do it easily with sbctl.

TPM is completely independent of Secure Boot, it can be used with or without it.

The way I do it is I use a UKI. It’s an approach similar to efistub, you pack the kernel and initramfs into a single EFI file, then sign it with custom Secure Boot keys generated with sbctl.