diff --git a/src/boot/boot.c b/src/boot/boot.c
index 400e5ab5207..e7ae98021f1 100644
--- a/src/boot/boot.c
+++ b/src/boot/boot.c
@@ -6,6 +6,7 @@
 #include "device-path-util.h"
 #include "devicetree.h"
 #include "drivers.h"
+#include "efi-string-table.h"
 #include "efivars-fundamental.h"
 #include "efivars.h"
 #include "export-vars.h"
@@ -83,8 +84,17 @@ typedef enum {
         REBOOT_NO,
         REBOOT_YES,
         REBOOT_AUTO,
+        _REBOOT_ON_ERROR_MAX,
 } RebootOnError;
 
+static const char *reboot_on_error_table[_REBOOT_ON_ERROR_MAX] = {
+        [REBOOT_NO]   = "no",
+        [REBOOT_YES]  = "yes",
+        [REBOOT_AUTO] = "auto",
+};
+
+DEFINE_PRIVATE_STRING_TABLE_LOOKUP_TO_STRING(reboot_on_error, RebootOnError);
+
 typedef struct BootEntry {
         char16_t *id;         /* The unique identifier for this entry (typically the filename of the file defining the entry, possibly suffixed with a profile id) */
         char16_t *id_without_profile; /* same, but without any profile id suffixed */
@@ -323,37 +333,8 @@ static void print_status(Config *config, char16_t *loaded_image_path) {
         printf("           auto-reboot: %ls\n", yes_no(config->auto_reboot));
         printf("                  beep: %ls\n", yes_no(config->beep));
         printf("  reboot-for-bitlocker: %ls\n", yes_no(config->reboot_for_bitlocker));
-
-        switch (config->reboot_on_error) {
-        case REBOOT_NO:
-                printf("       reboot-on-error: no\n");
-                break;
-        case REBOOT_YES:
-                printf("       reboot-on-error: yes\n");
-                break;
-        case REBOOT_AUTO:
-                printf("       reboot-on-error: auto\n");
-                break;
-        default:
-                assert_not_reached();
-        }
-
-        switch (config->secure_boot_enroll) {
-        case ENROLL_OFF:
-                printf("    secure-boot-enroll: off\n");
-                break;
-        case ENROLL_MANUAL:
-                printf("    secure-boot-enroll: manual\n");
-                break;
-        case ENROLL_IF_SAFE:
-                printf("    secure-boot-enroll: if-safe\n");
-                break;
-        case ENROLL_FORCE:
-                printf("    secure-boot-enroll: force\n");
-                break;
-        default:
-                assert_not_reached();
-        }
+        printf("       reboot-on-error: %s\n",  reboot_on_error_to_string(config->reboot_on_error));
+        printf("    secure-boot-enroll: %s\n",  secure_boot_enroll_to_string(config->secure_boot_enroll));
 
         switch (config->console_mode) {
         case CONSOLE_MODE_AUTO:
diff --git a/src/boot/efi-string-table.h b/src/boot/efi-string-table.h
new file mode 100644
index 00000000000..1053e752693
--- /dev/null
+++ b/src/boot/efi-string-table.h
@@ -0,0 +1,13 @@
+/* SPDX-License-Identifier: LGPL-2.1-or-later */
+#pragma once
+
+#include "macro-fundamental.h"
+
+#define _DEFINE_STRING_TABLE_LOOKUP_TO_STRING(name,type,scope)          \
+        scope const char* name##_to_string(type i) {                    \
+                assert(i >= 0 && i < (type) ELEMENTSOF(name##_table));  \
+                return name##_table[i];                                 \
+        }
+
+#define DEFINE_STRING_TABLE_LOOKUP_TO_STRING(name,type) _DEFINE_STRING_TABLE_LOOKUP_TO_STRING(name,type,)
+#define DEFINE_PRIVATE_STRING_TABLE_LOOKUP_TO_STRING(name,type) _DEFINE_STRING_TABLE_LOOKUP_TO_STRING(name,type,static)
diff --git a/src/boot/secure-boot.c b/src/boot/secure-boot.c
index fc8b96ef44a..1fdb1e2c344 100644
--- a/src/boot/secure-boot.c
+++ b/src/boot/secure-boot.c
@@ -1,6 +1,7 @@
 /* SPDX-License-Identifier: LGPL-2.1-or-later */
 
 #include "console.h"
+#include "efi-string-table.h"
 #include "efivars.h"
 #include "proto/security-arch.h"
 #include "secure-boot.h"
@@ -287,3 +288,12 @@ void uninstall_security_override(void) {
         if (security_override.original_hook2)
                 security_override.security2->FileAuthentication = security_override.original_hook2;
 }
+
+static const char *secure_boot_enroll_table[_SECURE_BOOT_ENROLL_MAX] = {
+        [ENROLL_OFF]     = "off",
+        [ENROLL_MANUAL]  = "manual",
+        [ENROLL_IF_SAFE] = "if-safe",
+        [ENROLL_FORCE]   = "force"
+};
+
+DEFINE_STRING_TABLE_LOOKUP_TO_STRING(secure_boot_enroll, secure_boot_enroll);
diff --git a/src/boot/secure-boot.h b/src/boot/secure-boot.h
index 347113135ff..5349fc039e6 100644
--- a/src/boot/secure-boot.h
+++ b/src/boot/secure-boot.h
@@ -9,6 +9,7 @@ typedef enum {
         ENROLL_MANUAL,      /* Secure Boot key enrollment is strictly manual: manual entries are generated and need to be selected by the user */
         ENROLL_IF_SAFE,     /* Automatically enroll if it is safe (if we are running inside a VM, for example). */
         ENROLL_FORCE,       /* Secure Boot key enrollment may be automatic if it is available but might not be safe */
+        _SECURE_BOOT_ENROLL_MAX,
 } secure_boot_enroll;
 
 bool secure_boot_enabled(void);
@@ -24,3 +25,5 @@ typedef bool (*security_validator_t)(
 
 void install_security_override(security_validator_t validator, const void *validator_ctx);
 void uninstall_security_override(void);
+
+const char* secure_boot_enroll_to_string(secure_boot_enroll e) _const_;