diff --git a/.github/workflows/talos-boot-assets.yaml b/.github/workflows/talos-boot-assets.yaml
index c982049..361906e 100644
--- a/.github/workflows/talos-boot-assets.yaml
+++ b/.github/workflows/talos-boot-assets.yaml
@@ -122,13 +122,6 @@ jobs:
       sha: ${{ steps.hash.outputs.sha_short }}
 
     steps:
-      - name: Maximize build space
-        uses: jlumbroso/free-disk-space@main
-        with:
-          large-packages: true
-          docker-images: true
-          swap-storage: true
-
       - name: Checkout
         uses: actions/checkout@v4
         with:
@@ -141,13 +134,32 @@ jobs:
           sha_short=$(git rev-parse --short HEAD)
           echo "sha_short=$sha_short" >> $GITHUB_OUTPUT
 
+      - name: Check if kernel image is already built
+        id: check
+        run: |
+          token=$(echo "${{ secrets.GITHUB_TOKEN }}" | base64)
+          tags=$(curl -H "Authorization: Bearer $token" https://ghcr.io/v2/${{ github.actor }}/kernel/tags/list)
+          built=$(echo "$tags" | jq -r '.tags | contains(["${{ steps.hash.outputs.sha_short }}"])')
+          echo "built=$built" >> $GITHUB_OUTPUT
+
+      - name: Maximize build space
+        if: steps.check.outputs.built == 'false'
+        uses: jlumbroso/free-disk-space@main
+        with:
+          large-packages: true
+          docker-images: true
+          swap-storage: true
+
       - name: Set up QEMU
+        if: steps.check.outputs.built == 'false'
         uses: docker/setup-qemu-action@v3
 
       - name: Set up Docker Buildx
+        if: steps.check.outputs.built == 'false'
         uses: docker/setup-buildx-action@v3
 
       - name: Login to GitHub Container Registry
+        if: steps.check.outputs.built == 'false'
         uses: docker/login-action@v3.0.0
         with:
           registry: ghcr.io
@@ -155,6 +167,7 @@ jobs:
           password: ${{ secrets.GITHUB_TOKEN }}
 
       - name: Build kernel image
+        if: steps.check.outputs.built == 'false'
         env:
           PLATFORM: linux/amd64
           USERNAME: ${{ github.actor }}
@@ -226,22 +239,6 @@ jobs:
           if-no-files-found: error
           retention-days: 1
 
-  create-release:
-    needs: [ check-releases, build-boot-assets ]
-    if: needs.check-releases.outputs.newTalosReleaseFound
-    name: Create a new release
-    runs-on: ubuntu-latest
-
-    permissions:
-      contents: write
-
-    steps:
-      - name: Create a new release
-        uses: softprops/action-gh-release@v1
-        with:
-          tag_name: ${{ needs.check-releases.outputs.talosReleaseTag }}
-          body: ${{ needs.check-releases.outputs.talosReleaseBody }}
-
   push-installer-image:
     needs: [ check-releases, build-boot-assets ]
     name: Push installer image
@@ -252,7 +249,7 @@ jobs:
       packages: write
 
     steps:
-      - name: Download build asset images
+      - name: Download talos installer image
         uses: actions/download-artifact@v3
         with:
           name: talos-installer
@@ -278,3 +275,120 @@ jobs:
             --platform linux/amd64 \
             /tmp/talos-build-assets/metal-amd64-installer.tar \
             ghcr.io/${{ github.actor }}/installer:${{ needs.check-releases.outputs.talosReleaseTag }}
+
+  build-secure-boot-assets:
+    needs: [ check-releases, build-installer ]
+    if: needs.check-releases.outputs.newTalosReleaseFound || github.event_name == 'workflow_dispatch'
+    name: Build secure boot assets
+    runs-on: ubuntu-latest
+
+    permissions:
+      contents: write
+
+    container:
+      image: ghcr.io/buroa/installer:${{ needs.check-releases.outputs.talosReleaseTag }}
+      options: --privileged
+      volumes:
+        - /dev:/dev
+
+    steps:
+      - name: Write uki-signing-cert.pem
+        id: uki-signing-cert-pem
+        uses: timheuer/base64-to-file@784a1a4a994315802b7d8e2084e116e783d157be # v1.2.4
+        with:
+          encodedString: "${{ secrets.UKI_SIGNING_CERT }}"
+          fileDir: /secureboot
+          fileName: uki-signing-cert.pem
+
+      - name: Write uki-signing-key.pem
+        id: uki-signing-key-pem
+        uses: timheuer/base64-to-file@784a1a4a994315802b7d8e2084e116e783d157be # v1.2.4
+        with:
+          encodedString: "${{ secrets.UKI_SIGNING_KEY }}"
+          fileDir: /secureboot
+          fileName: uki-signing-key.pem
+
+      - name: Write pcr-signing-key.pem
+        id: pcr-signing-key-pem
+        uses: timheuer/base64-to-file@784a1a4a994315802b7d8e2084e116e783d157be # v1.2.4
+        with:
+          encodedString: "${{ secrets.PCR_SIGNING_KEY }}"
+          fileDir: /secureboot
+          fileName: pcr-signing-key.pem
+
+      - name: Write pcr-signing-public-key.pem
+        id: pcr-signing-public-key-pem
+        uses: timheuer/base64-to-file@784a1a4a994315802b7d8e2084e116e783d157be # v1.2.4
+        with:
+          encodedString: "${{ secrets.PCR_SIGNING_PUBLIC_KEY }}"
+          fileDir: /secureboot
+          fileName: pcr-signing-public-key.pem
+
+      - name: Build amd64 secureboot-installer w/ Intel & I915 Ucode
+        run: |
+          /bin/imager secureboot-installer \
+            --arch amd64 \
+            --base-installer-image ghcr.io/${{ github.actor }}/installer:${{ needs.check-releases.outputs.talosReleaseTag }} \
+            --system-extension-image ghcr.io/siderolabs/intel-ucode:${{ env.INTEL_UCODE_VERSION }} \
+            --system-extension-image ghcr.io/siderolabs/i915-ucode:${{ env.I915_UCODE_VERSION }}
+
+      - name: Upload secureboot-installer artifact
+        uses: actions/upload-artifact@v3
+        with:
+          name: talos-secureboot-installer
+          path: /out/metal-amd64-secureboot-installer.tar
+          if-no-files-found: error
+          retention-days: 1
+
+  push-secureboot-installer-image:
+    needs: [ check-releases, build-secure-boot-assets ]
+    name: Push secureboot-installer image
+    runs-on: ubuntu-latest
+
+    permissions:
+      contents: read
+      packages: write
+
+    steps:
+      - name: Download talos secureboot-installer image
+        uses: actions/download-artifact@v3
+        with:
+          name: talos-secureboot-installer
+          path: /tmp/talos-build-assets
+
+      - name: Set up QEMU
+        uses: docker/setup-qemu-action@v3
+
+      - name: Set up Docker Buildx
+        uses: docker/setup-buildx-action@v3
+
+      - name: Login to GitHub Container Registry
+        uses: docker/login-action@v3.0.0
+        with:
+          registry: ghcr.io
+          username: ${{ github.actor }}
+          password: ${{ secrets.GITHUB_TOKEN }}
+
+      - uses: imjasonh/setup-crane@v0.3
+      - name: Push secureboot-installer image
+        run: |
+          crane push \
+            --platform linux/amd64 \
+            /tmp/talos-build-assets/metal-amd64-secureboot-installer.tar \
+            ghcr.io/${{ github.actor }}/installer:${{ needs.check-releases.outputs.talosReleaseTag }}-secureboot
+
+  create-release:
+    needs: [ check-releases, push-installer-image, push-secureboot-installer-image ]
+    if: needs.check-releases.outputs.newTalosReleaseFound
+    name: Create a new release
+    runs-on: ubuntu-latest
+
+    permissions:
+      contents: write
+
+    steps:
+      - name: Create a new release
+        uses: softprops/action-gh-release@v1
+        with:
+          tag_name: ${{ needs.check-releases.outputs.talosReleaseTag }}
+          body: ${{ needs.check-releases.outputs.talosReleaseBody }}