Secure boot requires a primary bootloader configured with signature checking and the current releases do not support this.
The next Debian-based release (currently hoped to be 17.04) is expected to ship with signature checking enabled and with LK set up appropriately and will therefore provide a fully worked example of how to perform a secure boot. However... these images serve only as an example. They will not achieve any meaningful secure boot because the keys used to sign the release will be well known "dummy" keys.
To the example sequence you will have to add an appropriate primary bootloader and resign the later components with your own key.