Yessir, you need to use Secure Boot with custom keys, and sign the boot partition yourself with those keys to avoid boot partition malware.
Something else you could do is install your boot partition to a USB drive, keep that drive with you at all times, and disconnect it when the system’s running. Nothing to infect if the bootloader isn’t stored locally in the first place, and you avoid evil maid attacks without using secure boot.
In this case, your system’s package manager won’t be able to update your bootloader automatically though, so there’s a risk of missing out on security updates. Always tradeoffs 