diff --git a/roles/global_defaults/defaults/main.yml b/roles/global_defaults/defaults/main.yml
index c969ef7..b7e7f40 100644
--- a/roles/global_defaults/defaults/main.yml
+++ b/roles/global_defaults/defaults/main.yml
@@ -141,6 +141,9 @@ system_defaults:
       enabled: false
       environment: ""       # gnome|kde|xfce|sway|hyprland|cinnamon|mate|lxqt|budgie
       display_manager: ""   # auto from environment when empty; override: gdm|sddm|lightdm|greetd
+    secure_boot:
+      enabled: false
+      method: ""            # arch only: sbctl (default) or uki; ignored for other distros
 
 # Per-hypervisor required fields — drives data-driven validation.
 # All virtual types additionally require network bridge or interfaces.
diff --git a/roles/global_defaults/tasks/_normalize_system.yml b/roles/global_defaults/tasks/_normalize_system.yml
index fc4eb59..5c2e525 100644
--- a/roles/global_defaults/tasks/_normalize_system.yml
+++ b/roles/global_defaults/tasks/_normalize_system.yml
@@ -150,6 +150,9 @@
           enabled: "{{ system_raw.features.desktop.enabled | bool }}"
           environment: "{{ system_raw.features.desktop.environment | default('') | string | lower }}"
           display_manager: "{{ system_raw.features.desktop.display_manager | default('') | string | lower }}"
+        secure_boot:
+          enabled: "{{ system_raw.features.secure_boot.enabled | bool }}"
+          method: "{{ system_raw.features.secure_boot.method | default('') | string | lower }}"
     hostname: "{{ system_name }}"
     os: "{{ system_os_input if system_os_input | length > 0 else (physical_default_os if system_type == 'physical' else '') }}"
     os_version: "{{ system_raw.version | default('') | string }}"