diff --git a/utils/qemu-uefi-tpm.nix b/utils/qemu-uefi-tpm.nix
index 0193a27..4fcadfd 100644
--- a/utils/qemu-uefi-tpm.nix
+++ b/utils/qemu-uefi-tpm.nix
@@ -12,7 +12,7 @@ pkgs.writeShellApplication {
 
   text =
     let
-      tpmOVMF = pkgs.OVMF.override { tpmSupport = true; };
+      tpmOVMF = pkgs.OVMF.override { tpmSupport = true; secureBoot = true; };
     in
     ''
       set -ex
@@ -26,6 +26,9 @@ pkgs.writeShellApplication {
         --tpm2 \
         --log file="$state/swtpm.log",level=20
 
+      cp ${tpmOVMF.variables} "$state"
+      chmod 700 "$state/OVMF_VARS.fd"
+
       qemu-system-x86_64 \
         -enable-kvm \
         -machine q35,accel=kvm \
@@ -37,7 +40,7 @@ pkgs.writeShellApplication {
         -serial chardev:char0 \
         -mon chardev=char0 \
         -drive "if=pflash,format=raw,unit=0,readonly=on,file=${tpmOVMF.firmware}" \
-        -drive "if=pflash,format=raw,unit=1,readonly=on,file=${tpmOVMF.variables}" \
+        -drive "if=pflash,format=raw,unit=1,file=$state/OVMF_VARS.fd" \
         -chardev socket,id=chrtpm,path="$state/swtpm-sock" \
         -tpmdev emulator,id=tpm0,chardev=chrtpm \
         -device tpm-tis,tpmdev=tpm0 \