secure_boot_setup: Add special steps for Limine

Using sbctl-batch-sign is not applicable for Limine when checksum
verification is enabled (default).

Limine also doesn't need kernel images to be signed so rely on
`limine-enroll-config` and signing that other EFI path manually for
secure boot on Limine.

Signed-off-by: Eric Naim <dnaim@cachyos.org>

Author: 1Naim

src/content/docs/configuration/secure_boot_setup.mdx

@@ -116,6 +116,28 @@ pacman hook will **not** sign the updated EFI binaries. As a workaround, we can
 ❯ sudo sbctl sign -s -o /usr/lib/systemd/boot/efi/systemd-bootx64.efi.signed /usr/lib/systemd/boot/efi/systemd-bootx64.efi
 ```
 
+### Limine
+
+Limine is a special boot manager that allows for checking the hash of kernel
+images and other files that Limine uses during boot. This means that any sort of
+manual configuration done by the user, e.g. signing the image via
+`sbctl-batch-sign`, will modify the hash of the corresponding files and will
+fail Limine's checksum verification.
+
+However, this is not a problem for Limine because it has a special boot process
+that bypasses EFI chainloading and signature checks. The only EFI binaries that
+need to be signed are Limine itself and the backup EFI binary found in all UEFI
+systems.
+
+```sh
+# Use limine-enroll-config to sign Limine's EFI binary
+# This uses sbctl under the hood
+❯ sudo limine-enroll-config
+
+# Sign the special EFI binary
+❯ sudo sbctl sign -s /boot/EFI/BOOT/BOOTX64.EFI
+```
+
 ## Verify that Secure Boot is Enabled
 
 To check that secure boot is indeed enabled. You can run one of the following commands