# Sign unified images with sbctl keys to support secure boot
uefi_secureboot_cert="/usr/share/secureboot/keys/db/db.pem"
uefi_secureboot_key="/usr/share/secureboot/keys/db/db.key"
# Enable lockdown if secure boot's on to prevent loading unsigned kernel modules
kernel_cmdline+=" lockdown=integrity "