root@dma-dreamflasher 
--------------------- 
OS: NixOS 26.05.20251130.2d293cb (Yarara) aarch64 
Host: ADLINK Ampere Altra Developer Platform 
Kernel: 6.12.59 
Uptime: 5 hours, 11 mins 
Packages: 504 (nix-system) 
Shell: bash 5.3.3 
Resolution: 1024x768 
Terminal: /dev/pts/0 
CPU: (128) @ 3.0GHz 
GPU: ASPEED Technology, Inc. ASPEED Graphics Family 
Memory: 4.24GiB / 125.19GiB (3%) 

• hostname: dma-dreamflasher
• mac: 00:30:64:76:4c:b3
• os: nixos

Note: Guide assumes an already running system. It does not cover resetting the system from scratch.

1. Enter BIOS setup by spamming Esc then Device Manager
2. Go into Secure Boot Configuration
3. Switch Secure Boot mode to Custom mode
4. Go to the list of Secure Boot keys, then PK, then Delete PK. Confirm yes.
5. Go out, then Boot Manager, then boot into NixOS as usual.
6. Validate setup mode using sbctl status and bootctl status.
7. Use sbctl enroll-keys --microsoft.
8. Validate that you're no longer in setup mode via the above commands.
9. Reboot again. Validate that the system boots fine.
10. Re-enroll TPM2-backed decryption via Arch wiki guide.