boot: add Secure Boot information

and refer to the (updated) wiki article for more in-depth explanations.

Signed-off-by: Fabian Grünbichler <f.gruenbichler@proxmox.com>

local-zfs.adoc

@@ -524,13 +524,17 @@ process of the new disk has progressed.
 
 ----
 # proxmox-boot-tool format <new disk's ESP>
-# proxmox-boot-tool init <new disk's ESP>
+# proxmox-boot-tool init <new disk's ESP> [grub]
 ----
 
 NOTE: `ESP` stands for EFI System Partition, which is setup as partition #2 on
 bootable disks setup by the {pve} installer since version 5.4. For details, see
 xref:sysboot_proxmox_boot_setup[Setting up a new partition for use as synced ESP].
 
+NOTE: make sure to pass 'grub' as mode to `proxmox-boot-tool init` if
+`proxmox-boot-tool status` indicates your current disks are using Grub,
+especially if Secure Boot is enabled!
+
 .With plain `grub`:
 
 ----

system-booting.adoc

@@ -9,8 +9,9 @@ endif::wiki[]
 selected in the installer.
 
 For EFI Systems installed with ZFS as the root filesystem `systemd-boot` is
-used. All other deployments use the standard `grub` bootloader (this usually
+used, unless Secure Boot is enabled. All other deployments use the standard
-also applies to systems which are installed on top of Debian).
+`grub` bootloader (this usually also applies to systems which are installed on
+top of Debian).
 
 
 [[sysboot_installer_part_scheme]]
@@ -30,9 +31,10 @@ The created partitions are:
     used for the chosen storage type
 
 Systems using ZFS as root filesystem are booted with a kernel and initrd image
-stored on the 512 MB EFI System Partition. For legacy BIOS systems, `grub` is
+stored on the 512 MB EFI System Partition. For legacy BIOS systems, and EFI
-used, for EFI systems `systemd-boot` is used. Both are installed and configured
+systems with Secure Boot enabled, `grub` is used, for EFI systems without
-to point to the ESPs.
+Secure Boot, `systemd-boot` is used. Both are installed and configured to point
+to the ESPs.
 
 `grub` in BIOS mode (`--target i386-pc`) is installed onto the BIOS Boot
 Partition of all selected disks on all systems booted with `grub`
@@ -100,6 +102,15 @@ To setup an existing, unmounted ESP located on `/dev/sda2` for inclusion in
 # proxmox-boot-tool init /dev/sda2
 ----
 
+or
+
+----
+# proxmox-boot-tool init /dev/sda2 grub
+----
+
+to force initialization with Grub instead of systemd-boot, for example for
+Secure Boot support.
+
 Afterwards `/etc/kernel/proxmox-boot-uuids` should contain a new line with the
 UUID of the newly added partition. The `init` command will also automatically
 trigger a refresh of all configured ESPs.
@@ -359,3 +370,24 @@ systems if you call the tool interactively.
 ----
 # proxmox-boot-tool refresh
 ----
+
+[[sysboot_secure_boot]]
+Secure Boot
+~~~~~~~~~~~
+
+Since {pve} 8.1, Secure Boot is supported out of the box via signed packages
+and integration in `proxmox-boot-tool`.
+
+The following packages need to be installed for Secure Boot to be enabled:
+
+- shim-signed (shim bootloader signed by Microsoft)
+- shim-helpers-amd64-signed (fallback bootloader and MOKManager, signed by Proxmox)
+- grub-efi-amd64-signed (Grub EFI bootloader, signed by Proxmox)
+- proxmox-kernel-6.X.Y-Z-pve-signed (Kernel image, signed by Proxmox)
+
+Only Grub as bootloader is supported out of the box, since there are no other
+pre-signed bootloader packages available. Any new installation of {pve} will
+automatically have all of the above packages included.
+
+More details about how Secure Boot works, and how to customize the setup, are
+available in https://pve.proxmox.com/wiki/Secure_Boot_Setup[our wiki].