Hopefully this is already changed in the Bullseye install guide, but if not, I don't think I will learn how to make edits before Bullseye releases.
The Buster install guide says in Section 3.6.3 https://www.debian.org/releases/stable/amd64/ch03s06.en.html#UEFI Another UEFI-related topic is the so-called “secure boot” mechanism. Secure boot means a function of UEFI implementations that allows the firmware to only load and execute code that is cryptographically signed with certain keys and thereby blocking any (potentially malicious) boot code that is unsigned or signed with unknown keys. In practice the only key accepted by default on most UEFI systems with secure boot is a key from Microsoft used for signing the Windows bootloader. As the boot code used by debian-installer is not signed by Microsoft, booting the installer requires prior deactivation of secure boot in case it is enabled. My test on a recent weekly-build testing netinst seems to show that the above is no longer correct -- it booted fine for me in UEFI/SecureBoot mode. I thought I remembered reading (somewhere) that all recent debian installers (and live systems??) can boot in legacy BIOS mode or UEFI mode with or without secure boot.
