Some distros have this built-in. Others, and for instance with arch, you can use sbctl which automates most of the process, by having you create keys, enrolling them, and then signing the boot files (this is with the default arch bootloader, systemd-boot).
Discussion
This doesn't verify the firmware.
Irrelevant - BIOS and UEFI for the purposes of secureboot only care about the kernel files and the bootloader. And in the case of UEFI, you can bypass bootloader and directly launch the kernel.
Relevant to me.
SecureBoot is not verified boot. Verified boot is a lot more extensive. There is no way desktop Linux can do it. No matter how many commands you type.