How to enable secure boot on PVE 6?

[Proxygen]

Now that debian buster supports secureboot, how do I enable it in PVE 6?

also, do i have this right? I will not be able (or it will be complicated) to install kernel modules on lxc containers. if i need to install kernel modules I should use KVM (without secure boot, or is secure boot available also for KVMs)?

 

[fabian]

We don't offer signed kernel images or Grub (yet), so there is no Secure Boot with PVE.

LXC guests share a kernel with the host system, so you need to load the modules for the host and all containers, or not at all. If you want to have a certain kernel module only for one guest, you should use a VM (then you can also choose a different kernel version or kernel altogether ). There is some support for emulating Secure Boot in Qemu, but it is not integrated in PVE and does not make much sense if the host itself does not have a verified boot chain.