#[SETUP] Windows Dualboot + Secure Boot

Format

Most text will be thougths/context.

Direct questions or topics that I'd like insight into are put in a quote block

Context

I've bought a new laptop, and I've been wanting to fully switch to linux as my main OS for really long, and decided to use this opportunity to do so, but after reading the wiki A LOT, I've come against some pain points in my research (I'm not gonna yolo an arch install lmao).

I will be doing a Windows dualboot, with systemd-boot for my boot manager.

The laptop got 2 m.2 slots, so I'll be having 2 SSDs in the future, but the initial setup will live on the same disk. My partitioning scheme so far looks something like this:

• sda1 -> FAT32 (300 MiB) - ESD -> mounts to /efi
• sda2 -> XBOOTLDR (2GiB) -> mounts to /boot
• sda3 -> NTFS (400GiB) - Windows 10 install for those games that REEEALLY want Windows because they require some level of kernel level anti-cheat (which also requires enabled secure boot)
• sda4 -> EXT4 (remaining) - linux -> mounts to /

At first I had just made a single 2GiB EFI partition, but different parts of the wiki suggested doing things different:

• EFI system partition # Using bind mount - esd (mounts to /efi) + esd/EFI/arch (mounts /boot) -> Easier to manage kernel updates via pacman hooks.
• Systemd-boot # Installation using XBOOTLDR - esd (mounts to /efi) + xbootldr (mounts to /boot) -> Keeps the kernel and initramfs separate from the ESP.

So that's why I have 2 boot partitions, even tho I manually partitioned the EFI partition during the windows install.

I'm not sure if this is needed to have a functional secure boot environment. (I only care about being able to secure boot Windows)

Secure Boot

This is where I got scared. Replacing the Platform Key with my own to sign the kernels, would mean:

• Firmware updates from the manufacturer would not work, as I've changed the PK and their certificates are ivalid now.
• Windows updates would stop working, or there would be issues with SecureBoot, as I'd probably have to re-sign the windows kernel myself after each update.
• My laptop is highly likely to brick, because of the OpROMs of the NVIDIA GPU.

Is there a way to avoid these issues?

Also, on the topic of secure boot.

What files do I need to sign?

• From my current limited understanding, the kernel itself is the vmlinuz* file, and initramfs*.img is just the initial ram state with drivers?

Do DMKS modules need signing? (biggest example, the nvidia drivers, needed for wayland).

Oh btw, extra context. The laptop uses InsydeH20, and on the graphical settings there's "expert key management" menu where I can manage the PK, KEK, db and dbx.
I do have a restore factory keys, and options to export, but idk if I can add my own KEK without replacing the PK, or if I can export and reimport them after replacing the PK.

Update: InsydeH20 is great, I've made a backup of everything. One time my dGPU stopped working, but after reloading the old keys SecureBoot for Windows worked again, so that's that

I still have no idea what I'm doing XD