Secure Boot helps ensure that the system only runs authentic software by verifying the digital signature of all boot components, and halting the boot process if signature verification fails.
On each boot, the UEFI firmware verifies the digital signature of each boot component against the secure store of approved keys. Any boot component that isn't properly signed, or isn't signed at all, isn't allowed to run.
If this occurs, the VM instance will show an error state in the GCP console, and the VM instance's serial console log will have an entry containing the strings UEFI: Failed to load image and Status: Security Violation, along with a description of the boot option that failed.
To troubleshoot the failure, disable Secure Boot by using the instructions in Modifying Shielded VM Options so that you can boot the VM instance, diagnose and resolve the issue, then re-enable Secure Boot.