IIRC, uboot can only support UEFI SecureBoot in a special manner, which needs to specifically install the PK, KEK and db via the u-boot shell. See: https://github.com/u-boot/u-boot/blob/v2022.04/doc/develop/uefi/uefi.rst#configuring-uefi-secure-boot BTW, MokUtil shouldn't be able to create any EFI variable to uboot because uboot has not yet supported SetVariable [EFI_RT_SUPPORTED_SET_VARIABLE, 0x0040] in its real-time services table. See: https://github.com/u-boot/u-boot/blob/v2022.04/lib/efi_loader/efi_runtime.c#L124