New comment by dm17 on void-packages repository

https://github.com/void-linux/void-packages/issues/12495#issuecomment-1197656354

Comment:
> Signing the shim is a pain, requires payment, and then I believe we'd also have to sign the kernel _and_ modules, which is another source of pain, so I don't think we should go that route.
> 
> @unixandria-xda From my experience, the easiest route for Secure Boot is simply to not depend on GRUB:
> 
> * create SB keys (using openssl commands or something like https://github.com/Foxboron/sbctl - which unfortunately doesn't have a release yet)
> * configure dracut for UEFI bundle generation (using [dracut: add EFI kernel hook #22484](https://github.com/void-linux/void-packages/pull/22484), manual configuration or something like https://github.com/zdykstra/zfsbootmenu - this last one is shipped on Void): this will create a bundle that contains the kernel, the cmdline, and the initramfs
> * add the `secureboot_*` options to your dracut config, so dracut can sign the bundle at creation time; or extend the sbsigntool hook to sign UEFI bundles ([sbsigntool: rewrite post-install kernel hook #23688](https://github.com/void-linux/void-packages/pull/23688) ?); or create a sbctl hook to sign them (not supported yet)
> * boot into the UEFI bundle directly (could have efibootmgr integration?) or into something like rEFInd, whose `refind-install` script can sign the refind executable
> 
> The only part that I don't understand much about is enrolling keys, because I do it through my own firmware.

Looks like a great start. Has anyone gone further with creating clear instructions for a secureboot / signed ZBM setup?