New comment by ericonr on void-packages repository

https://github.com/void-linux/void-packages/issues/12495#issuecomment-664792246

Comment:
Signing the shim is a pain, requires payment, and then I believe we'd also have to sign the kernel *and* modules, which is another source of pain, so I don't think we should go that route.

@unixandria-xda  From my experience, the easiest route for Secure Boot is simply to not depend on GRUB:

- create SB keys (using openssl commands or something like https://github.com/Foxboron/sbctl - which unfortunately doesn't have a release yet)
- configure dracut for UEFI bundle generation (using #22484, manual configuration or something like https://github.com/zdykstra/zfsbootmenu - this last one is shipped on Void): this will create a bundle that contains the kernel, the cmdline, and the initramfs
- add the `secureboot_*` options to your dracut config, so dracut can sign the bundle at creation time; or extend the sbsigntool hook to sign UEFI bundles (#23688 ?); or create a sbctl hook to sign them (not supported yet)
- boot into the UEFI bundle directly (could have efibootmgr integration?) or into something like rEFInd, whose `refind-install` script can sign the refind executable

The only part that I don't understand much about is enrolling keys, because I do it through my own firmware.