While I don’t know how well your hardware can work with secure boot, this is a good guide to get started on Arch. swsnr.de/…/install-arch-with-secure-boot-tpm2-bas…Don’t know how well Debian supports any of the mentioned tools but you probably shouldn’t be going with Debian’s implementation of secure boot as it uses Microsoft’s keys.
I use TPM pcrs 0,1 and 7 with no issues across reboots and zero prompts to unlock LUKS as dracut resigns my kernel images on every update.