createKeys option

nix/modules/lanzaboote.nix

@@ -21,6 +21,7 @@ in
     enable = mkEnableOption "Enable the LANZABOOTE";
 
     enrollKeys = mkEnableOption "Automatic enrollment of the keys using sbctl";
+    createKeys = mkEnableOption "Automatic creation of the keys using sbctl";
 
     configurationLimit = mkOption {
       default = config.boot.loader.systemd-boot.configurationLimit;
@@ -110,6 +111,10 @@ in
     boot.loader.external = {
       enable = true;
       installHook = pkgs.writeShellScript "bootinstall" ''
+        ${optionalString cfg.createKeys ''
+          ${pkgs.sbctl}/bin/sbctl create-keys
+        ''}
+
         ${optionalString cfg.enrollKeys ''
           mkdir -p /tmp/pki
           cp -r ${cfg.pkiBundle}/* /tmp/pki