Setting up Secure Boot on NixOS for the Surface Go 3

Setting up Secure Boot on NixOS for the Surface Go 3 is pretty easy. Just follow most steps from the quickstart guide of the Lanzaboote repository.

However, I was confused when it came to actually enabling Secure Boot in the UEFI settings. I thought that I had to boot up into the UEFI interface and enable Secure Boot from there. However, on Surface devices, if Secure Boot is disabled in the UEFI settings, it is set to "setup mode" by default.

This means that you do not have to enable Secure Boot in the UEFI settings at all. Just use the sbctl tool to enroll the keys, reboot, and your device will have Secure Boot enabled.