create key

mkdir -p /var/lib/shim-signed/mok
cd !$
openssl req -newkey rsa:4096 -noenc -keyout MOK.key -new -x509 -sha256 -days 3650 -subj "/CN=my Machine Owner Key/" -out MOK.crt
openssl x509 -outform DER -in MOK.crt -out MOK.cer

sign efi

sbsign --key MOK.key --cert MOK.crt --output /efi/EFI/Linux/grubx64.efi /efi/EFI/Linux/grubx64.efi

copy efi

cd /efi/EFI/Linux/
cp /usr/share/shim-signed/shimx64.efi BOOTx64.EFI
cp /usr/share/shim-signed/mmx64.efi .
cp /var/lib/shim-signed/mok/MOK.cer .
efibootmgr --unicode --disk /dev/nvme0n1 --part n --create --label "Shim" --loader "\EFI\Linux\BOOTx64.EFI"

setup LUKS auto unlocking with TPM

Generate recovery key

systemd-cryptenroll --recovery $luks

wipe password slot

systemd-cryptenroll --wipe-slot=password $luks

Add luks keyfile

keyfile=/path/to/keyfile
cryptsetup luksAddKey $luks $keyfile # require existing password !!!
systemd-cryptenroll $luks --tpm2-device=auto --unlock-key-file $keyfile # require existing password !!!

reset tpm

systemd-cryptenroll --wipe-slot=tpm2 $luks

add linux entry to windows boot manager

bcdedit /enum firmware
bcdedit /displayorder {id} /addfirst

Enable discard on LVM on LUKS

doas cryptsetup --allow-discards --persistent refresh $luks
doas sed -i 's/# issue_discards = 0/issue_discards = 1/' /etc/lvm/lvm.conf
doas systemctl enable fstrim.timer

setup refind with bitlocker support

doas refind-install --shim /usr/share/shim-signed/shimx64.efi
sbsign --key MOK.key --cert MOK.crt --output /efi/EFI/refind/grubx64.efi /efi/EFI/refind/grubx64.efi

/efi/EFI/refind/refind.conf

menuentry "Windows" {
	icon /EFI/refind/icons/os_win8.png
# efibootmgr Boot{Number}
	firmware_bootnum 0000
}