first, we need to install some tools
sudo xbps-install sbctl sbsigntool efitools
first, before anything lets backup your current efi keys, i recommend creating a folder and back it up there
mkdir keybackup
cd keybackup
for var in PK KEK db dbx ; do efi-readvar -v $var -o factory_${var}.esl ; done
now go to your bios, go to your secure boot configuration and put it in "setup mode" or there should be a option to clear the keys
now, we need to create our own keys, make sure to run this with root privileges
sbctl create-keys
and then, we enrolls microsoft keys,
do note that this might brick some non uefi compliant devicessbctl enroll-keys --microsoft
now run "sbctl status", it should say there that sbctl is installed
now, we need to sign our bootloader in this case im gonna assume my bootloader is grub and my esp partition is mounted at /boot/efi
sbctl sign -s /boot/efi/EFI/void_grub/grubx64.efi
now sign your kernel, it should be something like this : /boot/vmlinuz. it should end with the kernel version.
now we have to reinstall grub with some options
grub-install --target=x86_64-efi --efi-directory=/boot/efi --bootloader-id=GRUB --modules="tpm" --disable-shim-lock
just to make sure everything is signed, do this
sbctl sign-all
now, reboot go to your bios and enable secureboot
you should be done