diff --git a/base/common_hardware.nix b/base/common_hardware.nix
index ede1c08..92406a1 100644
--- a/base/common_hardware.nix
+++ b/base/common_hardware.nix
@@ -16,13 +16,27 @@ in {
   # Bootloader.
   boot = {
     consoleLogLevel = 0;
+
+    boot.loader.systemd-boot.enable = lib.mkForce false;
+
+    boot.lanzaboote = lib.mkIf config.conf.secureBoot {
+      enable = true;
+      pkiBundle = "/var/lib/sbctl";
+    };
+
     loader = {
-      systemd-boot = lib.mkIf config.conf.useSystemdBootloader {
-        enable = true;
+      systemd-boot = {
+        enable =
+          if config.conf.secureBoot
+          then lib.mkForce false
+          else if config.conf.useSystemdBootloadertrue
+          then true
+          else false;
         configurationLimit = 5;
       };
       efi.canTouchEfiVariables = true;
     };
+
     kernelPackages = lib.mkDefault pkgs.linuxPackages_latest;
     initrd = {
       verbose = false;
diff --git a/modules/conf.nix b/modules/conf.nix
index 55ec2b9..cf8dc65 100644
--- a/modules/conf.nix
+++ b/modules/conf.nix
@@ -20,6 +20,15 @@
       '';
     };
 
+    secureBoot = lib.mkOption {
+      default = false;
+      example = true;
+      description = ''
+        enables secure boot.
+        Please don't forget to add your keys.
+      '';
+    };
+
     useSystemdBootloader = lib.mkOption {
       default = true;
       example = false;
diff --git a/modules/programs/basePackages.nix b/modules/programs/basePackages.nix
index 635a2a7..0f2ff25 100644
--- a/modules/programs/basePackages.nix
+++ b/modules/programs/basePackages.nix
@@ -74,6 +74,7 @@
             seahorse
             upower
             xorg.xkbutils
+            sbctl
           ]
           ++ config.mods.basePackages.additionalPackages
       else config.mods.basePackages.additionalPackages;