You can also enable secure boot using sbctl.
First reinstall grub with secure boot support (see GRUB - ArchWiki):
grub-install --target=x86_64-efi --efi-directory=/boot/efi --bootloader-id=garuda --modules="tpm" --disable-shim-lock
Then follow up with the instructions here:
Enter secure boot setup mode and create and enroll the keys (-f is used to keep firmware builtins):
sbctl create-keys
sbctl enroll-keys -m -f
Then sign all the required binaries:
sbctl verify | sed 's/^✗ \(.*\) is not signed$/sbctl sign -s \1/e'
find /boot/vmlinuz-* | xargs -n1 sbctl sign -s