On Thu, 2022-11-10 at 16:06 +0100, Morten Linderud wrote: > I'm not really sure what Peter means with "much more reliable" > though. It's that in-head knowledge you referred to. You can't see the true MoK variables because they're BootServices, meaning they're not visible in the RunTime, which is why the shadow RT variables exist (this is a security property: BS only variables can only be altered by trusted, signed entities). However lots of things can create RT variables so you have to run through a sequence of checks on the RT shadows to try to defeat clever attackers (like verifying the variable attributes), because the chain of custody from BS to RT is not guaranteed. If you use a configuration table instead, that is BS only, the kernel (which is also a trusted entity) has to pick it out before ExitBootServices, so if the kernel has the table, you have a reliable chain of custody for the entries. James