Which? The first one (the one I'm running on my laptop) doesn't involve custom mode at all - I'm using an MS-signed bootloader to exit boot services and do some stuff, with no changes to SecureBoot or PK or any other variables. I have an actual Secure Boot-enabled platform with only Microsoft keys enrolled.
The rest involve changing EFI variables, yes, but my impression is that "Custom Mode" refers to a UI in the BIOS which permits you to change the variables, and those variables are always writable by code running in boot services. The requirements say, "On non-ARM systems, the platform MUST implement the ability for a physically present user to select between two Secure Boot modes in firmware setup: 'Custom' and 'Standard'." Nothing I'm suggesting involves going to firmware setup.
The rest involve changing EFI variables, yes, but my impression is that "Custom Mode" refers to a UI in the BIOS which permits you to change the variables, and those variables are always writable by code running in boot services. The requirements say, "On non-ARM systems, the platform MUST implement the ability for a physically present user to select between two Secure Boot modes in firmware setup: 'Custom' and 'Standard'." Nothing I'm suggesting involves going to firmware setup.