The last I heard, Debian did not support Secure Boot. If that's changed with Debian 8, it should simplify things greatly. If Debian does not support Secure Boot, though, I suggest you take one step back from your question about Shim and make the question about Secure Boot generally. With that step back, there are three solutions, broadly speaking:

• You can use the Linux Foundation's PreLoader as your Secure Boot solution. This tool is conceptually similar to Shim, but it records hashes of binaries that you approve, which makes it easier to set up than Shim, which requires cryptographically signing your boot loader and perhaps all your kernels.
• You can use Shim as your Secure Boot solution. Shim is designed to authenticate binaries based on cryptographic signatures, so you've got to sign your copy of GRUB (or whatever boot loader you use), and possibly also your Linux kernel(s). This process is a bit tedious and impossible to describe succinctly.
• You can install your own Secure Boot keys and then use them to sign GRUB (or whatever boot loader you use) and possibly your kernels. The signing process is the same as it would be when using Shim, but you can completely remove Shim from the process. The problem is that setting up the keys is more difficult than installing Shim; but you can also remove unwanted keys (such as those from Microsoft, if you don't run Windows).

Overall, using PreLoader is likely to be the easiest solution for your situation -- although if Debian signs its GRUB and kernels, using Shim can be as easy if not easier, once you locate the Debian public key file.

Obviously, this answer isn't complete. Once you decide which approach to use, you'll need more information. Consult my main Secure Boot page for instructions on using PreLoader and Shim, and my Controlling Secure Boot page for information on installing and using your own keys.

One more comment: If this is a single-boot installation, using Secure Boot will provide minimal benefits, especially if you use a version of GRUB that doesn't honor Secure Boot. The main benefits to Secure Boot are on a system that might have its boot loader replaced by malware. Historically, Windows has been the target for such malware, both as the platform that's ultimately compromised and as the OS used to install the malware. That's not to say that Linux can never be targeted, of course; but if it is, and if you use a boot loader doesn't require the kernel to be signed, you're gaining very little in security by enabling Secure Boot, since the attacker would only need to replace your stock kernel to take control of your system.