This Lenovo laptop was sold as new, for little money, and without Windows, by a renowned German notebook shop site. It came with pre-installed FreeDOS, giving the out-of-box experience of a 1980s IBM AT. But that was not because of the Superfish adware shit, which happened later, in 2014. I did not know this story; instead, I was curious whether my machine would be one of those "Lenovo computer models with Secure Boot [that] had firmware that was hardcoded to allow only executables named 'Windows Boot Manager' or 'Red Hat Enterprise Linux' to load, regardless of any other setting" (it isn't).
Better don't spend your money on the golden paint.
Maybe I should attach emojis to remarks that are meant ironically, but it's funnier for me if I don't. Of course I'm on your side, Alacran, with your criticism of the Secure Boot approach, because booting should become easier, not harder. Also, my initial quoting of Zammibro's complaint (in post no. 341) does not mean that I'm complaining too. I just try to analyze, like: If the malware people laugh about Secure Boot being enabled, then why don't we? I want to know how we can live with it.
By the way, the Chinese site A1ive and you referred to freqently is either offline now or inaccessible from Germany, even with Tor browser. I probably missed important basic information from there, so it would be nice if someone could upload a backup of that material to a, well, "secure" location.
Gerolf commented in a previous post his preferred distro (openSUSE Tumbleweed) has a GUI tool (YaST) to edit the grub.cfg file. Please don't ask how to edit grub.cfg file, as each distro has its own way to automatically create its grub.cfg file, and it is known direct manual edition very frecuently do not work, as it is usually auto-repaired on next boot
SUSE Linux gained a little popularity in Germany during the time when Windows still struggled with stability problems. During the past 23 years, I frequently created the classical dual-boot scenario (which I only adopted here for GPT/UEFI/SB) on various machines, and while SUSE Linux never was considered a "cool" distro like Ubuntu, I'm amazed how its installation procedure runs smoother and faster with every year.
SUSE's YaST not only is "Yet another Setup Tool" but also a comprehensive control center for system administration like the one (or two) you are used to on Windows but somehow cannot find on other Linux distros. For instance, its boot manager configuration GUI allows to install another bootloader (Grub2 or Grub2 for EFI) even after setup is already finished. A few options like Secure Boot support or the default operating system can be changed, but a dialog to add further menu entries is missing -- no wonder as grub.cfg is a shell script of quite some complexity rather than a configuration file.
It is correct that grub.cfg gets rebuilt automatically from fragments located elsewhere. I still have to study the mechanism and to use the Grub2 command line meanwhile. I see a new "Grub4EFI" build just arrived; I had downloaded the previous one a few days ago. The EFI partition gets mounted to /boot/efi/EFI and has subfolders Microsoft and opensuse. I opened the file manager in supervisor mode, created a subfolder Grub4EFI and copied the file BOOTX64.EFI from the extracted archive to it. Then I secure-booted to Grub2, opened the command-line and entered:
chainloader (hd0,gpt1)/EFI/Grub4EFI/BOOTX64.EFI boot
And then it really did show up, with its title line "GRUB4DOS for_UEFI 2021-06-19". (I haven't made any further experiments with it yet, I'm getting tired now.)
You quoted the sentence "Using SB activates 'lockdown' mode in the Linux kernel" from the Debian Wiki and concluded:
So as G4E boot loader is not signed with a Devian Key it will not load/run when Secure Boot is enabled.
Only that Grub2 which I used here for chainloading "Grub4EFI" obviously does not include a Linux kernel or any other code that is responsive to Secure Boot mode. I understand the Debian Wiki such that only the first-stage bootloader Shim, the "root of trust", then kills the next binary to be chainloaded if that file is not signed. But that's not the case for openSUSE's Grub2, and Shim neither knows nor cares what Grub2 will do later.
So my answer to Zammibro's complaining question ("How to add this thing to a Windows PC?") would be, in a nutshell and still incomplete: Create a dual-boot scenario with a "trusted" Linux distro to get a signed Grub2 installed, and then modify its configuration to chainload "Grub4EFI" and your other cool "untrusted" stuff. You don't trust my reporting? C'mon, you'll find a spare computer to reproduce this experiment.