Mention secure boot auto enrollment minimum systemd version

diff --git a/mkosi/resources/mkosi.md b/mkosi/resources/mkosi.md
index d734360be3b858c6ea9e2c528fee701fc8ebd40c..f326b6a3dfdbbccbeb7be45765572c6043c53621 100644 (file)
--- a/mkosi/resources/mkosi.md
+++ b/mkosi/resources/mkosi.md
@@ -975,9 +975,18 @@ boolean argument: either `1`, `yes`, or `true` to enable, or `0`, `no`,
 
 `SecureBoot=`, `--secure-boot`
 
-: Sign systemd-boot (if it is not signed yet) and the resulting
-  kernel/initrd image for UEFI SecureBoot. Also set up secure boot key
-  auto enrollment as documented in the systemd-boot [man page](https://www.freedesktop.org/software/systemd/man/systemd-boot.html)
+: Sign systemd-boot (if it is not signed yet) and any generated
+  unified kernel images for UEFI SecureBoot. Also set up automatic
+  enrollment of the secure boot keys in virtual machines as documented
+  in the systemd-boot
+  [man page](https://www.freedesktop.org/software/systemd/man/systemd-boot.html).
+  Note that systemd-boot will only do automatic secure boot key
+  enrollment in virtual machines starting from systemd v253. To do auto
+  enrollment on systemd v252 or on bare metal machines, write a
+  systemd-boot configuration file to `/efi/loader/loader.conf` using an
+  extra tree with `secure-boot-enroll force` or
+  `secure-boot-enroll manual` in it. Auto enrollment is not supported on
+  systemd versions older than v252.
 
 `SecureBootKey=`, `--secure-boot-key=`