[jeroenhd]

Arch has a pretty useful key enrollment tool that I'm sure exists on other distros too. Only command line, though. There's also tooling for enrolling a custom key database if your firmware doesn't accept the standard API by creating a bootable key management update tool with your preferred keys.

There's a guide for both approaches here: https://wiki.archlinux.org/title/Unified_Extensible_Firmware.... You'll need to make sure whatever distro you use has the right hooks to sign the boot images after each upgrade (i.e. an apt callback rather than a pacman callback) if you're not using Arch, of course.

Using the sbenroll tool, the process is three commands (generate keys, enroll keys, sign current bootloaders) plus whatever extra BIOS interfacing logic your computer needs on top of normal secure boot stuff like unlocking the BIOS through a password.

[StillBored]

As I pointed out to the other respondent, I don't think people are understanding what i'm saying. I'm not suggesting that its not possible to manually enroll, or self sign (which should come with a giant warning that it basically invalidates much of the security if the signing keys aren't protected with something hopefully more complex than a keyboard entered password).

Basically the installers should be replacing the existing certs and keys, with distro supplied ones which are maintained along with global DBX entries by the distro itself, with a distro supplied KEK/etc where the private keys are stored in a high security environment not available to most users.

Its really the kind of project the linux foundation should be sponsoring so the infra could be shared cross distro.