The current defaults work for most users. I suggest leaving them as they are, but add a clarifying message -- maybe something like: "Uncheck the secure boot support option if you need to boot unsigned kernels (this is uncommon)"