Hi guys. I'm trying to boot securely a guest - ultimately will be Windows, I hear only secure boot for win11 - via PXE but I fail to figure it out - my first foray into it. VM fails with: iPXE initialising devices... autoexec. ipxe... Not found (https:// ipxe .org/2d12618e iPXE 1.21.1+ (g5c49e) -- Open Source Network Boot Firmware —- https://ipxe.org Features: DNS HITP iSCSI TETP ULAN SRP AoE EFI Menu net@: 02:2d:7a:34:9f:90 using virtio-net on 0000:01:00.0 (Ethernet) [open] ULink:up, T:@ TKE:1 RX:@ RXE:0] ITKE: 1 x "Netuork unreachable (https://ipxe .org/28086090) "] Configuring (net 02:2d:7a:34:9F:90) ...... ok netO: 10.3.1.14/255.255.252.0 gu 10.3.1.254 netO: fe80::2d: Taff: fe34:9£90/64 Next server: 10.3.1.99 Filenane: ipxe-shinx64-ef i t£tp://10.3.1.99/ ipxe-shimx64-ef i... ok ipxe-shinx64.efi : 961448 bytes [EFI] Fetching Netboot Inage ipxe-efi Nalforned binary after Attribute Certificate Table datasize: 4194304 SunOfBytesHashed: 1044480 SecDir->Size: 1536 hashsize: 3148288 SecDir->VirtualAddress: 0x000FFO00 Failed to load image: Invalid Paraneter start_imageQ returned Invalid Paraneter, falling back to default loader Fetching Netboot Inage ipxe-efi Nalforned binary after Attribute Certificate Table datasize: 4194304 SunOfBytesHashed: 1044480 SecDir->Size: 1536 hashsize: 3148288 SecDir-VirtualAddress: 0x000FFO00 Failed to load inage: Invalid Paraneter start_imageQ returned Invalid Paraneter Guest domain is like so: ...     <firmware>       <feature enabled='no' name='enrolled-keys'/>       <feature enabled='no' name='secure-boot'/>     </firmware>     <loader readonly='yes' type='pflash' format='raw'>/usr/share/edk2/ovmf/OVMF_CODE.fd</loader>     <nvram template='/usr/share/edk2/ovmf/OVMF_VARS.fd' templateFormat='raw' format='raw'>/var/lib/libvirt/qemu/nvram/dzien-win-secbot_VARS.fd</nvram> ... Here boot is not secure secure - but when is secure, also fails - so I could capture pxe process which is more verbose here, as opposed to secure which pop-ups with blue screen with only a short message. I'm presuming I sign something - bootloaders |& efi vars store - wrong? I'm on centos 9 with biners up-to-today. Any/all thoughts are much appreciated. many thanks, L.