Hi, I am altering a BIOS image with a new bootloader EFI application. I have installed test keys successfully into the UEFI bios via the APTIO setup menus, but now it won't boot complaining about signature failure, before it even runs my EFI loader, it simply is failing on POR. When you add your PK/KEK and DB keys, does the BIOS image add hashes to DB of the existing UEFI BIOS modules because if it does not, I do not see how anyone can use secure boot without having the source for the modules and signing them? Do I have to extract all modules and sign them myself (UEFITool/MMTool etc.)? somehow rebuilding them into a flash file? If so, does this include everything, TE exe's? Freeform sections? or just DXE EFI modules? There is very little documentation on this subject, at least in the BIOS manual. I have put my secure boot test keys online and signed/unsigned test EFI in case someone spots something I've not done. www filedropper dot com slash secureboottest Regards, dc