Hi guys.

I'm trying to boot securely a guest - ultimately will be Windows, I hear only secure boot for win11 - via PXE but I fail to figure it out - my first foray into it.
VM fails with:

iPXE initialising devices...
autoexec. ipxe... Not found (https:// ipxe .org/2d12618e

iPXE 1.21.1+ (g5c49e) -- Open Source Network Boot Firmware —- https://ipxe.org
Features: DNS HITP iSCSI TETP ULAN SRP AoE EFI Menu

net@: 02:2d:7a:34:9f:90 using virtio-net on 0000:01:00.0 (Ethernet) [open]
ULink:up, T:@ TKE:1 RX:@ RXE:0]
ITKE: 1 x "Netuork unreachable (https://ipxe .org/28086090) "]
Configuring (net 02:2d:7a:34:9F:90) ...... ok
netO: 10.3.1.14/255.255.252.0 gu 10.3.1.254
netO: fe80::2d: Taff: fe34:9£90/64
Next server: 10.3.1.99
Filenane: ipxe-shinx64-ef i
t£tp://10.3.1.99/ ipxe-shimx64-ef i... ok
ipxe-shinx64.efi : 961448 bytes [EFI]
Fetching Netboot Inage ipxe-efi
Nalforned binary after Attribute Certificate Table
datasize: 4194304 SunOfBytesHashed: 1044480 SecDir->Size: 1536
hashsize: 3148288 SecDir->VirtualAddress: 0x000FFO00
Failed to load image: Invalid Paraneter
start_imageQ returned Invalid Paraneter, falling back to default loader
Fetching Netboot Inage ipxe-efi
Nalforned binary after Attribute Certificate Table
datasize: 4194304 SunOfBytesHashed: 1044480 SecDir->Size: 1536
hashsize: 3148288 SecDir-VirtualAddress: 0x000FFO00
Failed to load inage: Invalid Paraneter
start_imageQ returned Invalid Paraneter

Guest domain is like so:
...
    <firmware>
      <feature enabled='no' name='enrolled-keys'/>
      <feature enabled='no' name='secure-boot'/>
    </firmware>
    <loader readonly='yes' type='pflash' format='raw'>/usr/share/edk2/ovmf/OVMF_CODE.fd</loader>
    <nvram template='/usr/share/edk2/ovmf/OVMF_VARS.fd' templateFormat='raw' format='raw'>/var/lib/libvirt/qemu/nvram/dzien-win-secbot_VARS.fd</nvram>
...

Here boot is not secure secure - but when is secure, also fails - so I could capture pxe process which is more verbose here, as opposed to secure which pop-ups with blue screen with only a short message.

I'm presuming I sign something - bootloaders |& efi vars store - wrong?
I'm on centos 9 with biners up-to-today.
Any/all thoughts are much appreciated.

many thanks, L.