diff --git a/roles/configuration/tasks/_resolve_platform.yml b/roles/configuration/tasks/_resolve_platform.yml
index 7ff6956..7de5224 100644
--- a/roles/configuration/tasks/_resolve_platform.yml
+++ b/roles/configuration/tasks/_resolve_platform.yml
@@ -14,3 +14,12 @@
 - name: Set platform configuration
   ansible.builtin.set_fact:
     _configuration_platform: "{{ configuration_platform_config[os_family] }}"
+
+- name: Override EFI loader to shim for Secure Boot
+  when:
+    - system_cfg.features.secure_boot.enabled | bool
+    - _configuration_platform.efi_loader != 'shimx64.efi'
+    - os != 'archlinux'
+  ansible.builtin.set_fact:
+    _configuration_platform: >-
+      {{ _configuration_platform | combine({'efi_loader': 'shimx64.efi'}) }}