diff --git a/modules/system/secure_boot/default.nix b/modules/system/secure_boot/default.nix
index d21c796..1579669 100644
--- a/modules/system/secure_boot/default.nix
+++ b/modules/system/secure_boot/default.nix
@@ -23,6 +23,8 @@ in {
     # force disable systemd-boot so lanzaboote can be used
     boot.loader.systemd-boot.enable = lib.mkForce false;
 
+    # make sure the keys are generated and in the pkiBundle path
+    # with `nix-shell -p --run "sbctl create-keys"`
     boot.lanzaboote = {
       enable = true;
       pkiBundle = "/var/lib/sbctl";