I am having some trouble appending to Secure Boot variables from the OS. I'm using a software stack that uses the efitools package on top of RHEL 7 to set Secure Boot variables (PK, KEK, and db) from the OS as opposed to the UEFI menu. All variable values are in the EFI_VARIABLE_AUTHENTICATION_2 format specified in the UEFI 2.6 spec. The efi-updatevar binary (from efitools) is used to set the PK, KEK, and db variables; this step executes correctly. However, when I attempt to append new hashes to the db variable the change does not take effect even though the efi-updatevar command indicates success. What's really peculiar is that the append does consistently work after exactly 7 attempts of running the efi-updatevar. I have no idea why 7 would be the magic number, but this is a VMWare only issue. All the other platforms I've tested (HPE DL360 Gen 9 and 10, Dell R640 Gen 13 and 14, and tianocore running on qemu) work on the first append attempt as I would expect. Is there some quirk of VMWare's Secure Boot implementation I am not taking into account or have I stumbled upon a bug?
EFI_VARIABLE_AUTHENTICATION_2