I was unlucky and did not find any information what I need to do to enable secure boot on Rocky 8.5. keyctl show %:.platform only shows the Rocky Enterprise Software Foundation key, not the one from Microsoft. Secure Boot was enabled in the UEFI during installation. mokutil --sb shows that SecureBoot is disabled.
You don’t normally enable it after installing. You normally have it enabled in the UEFI BIOS before installing, and then when you install, it will be enabled. If this didn’t work, you might need to carefully look at logs to see why it failed.
Thank you for your response. I was able to resolve the issue using the good old trial and error method. After the fifth or so installation I went in to the UEFI and used the option to reset the keys in the secure boot submenu. Rocky was now able to boot using secure boot. Why this was the solution is a mystery to me, since I never enrolled custom keys in the first place.
I did actually enable Safe Boot after install (on AlmaLinux system that had been initially installed as CentOS Linux 8). The only key that I had to import into UEFI was that of ELRepo. This anecdote might not be fully relevant, as both CentOS and Alma had Secure Boot keys when I started using them, while Rocky got them only on the 8.5 release. That could make a difference.