I am having some trouble appending to Secure Boot variables from the OS.  I'm using a software stack that uses the efitools package on top of RHEL 7 to set Secure Boot variables (PK, KEK, and db) from the OS as opposed to the UEFI menu.  All variable values are in the EFI_VARIABLE_AUTHENTICATION_2 format specified in the UEFI 2.6 spec.  The efi-updatevar binary (from efitools) is used to set the PK, KEK, and db variables; this step executes correctly.  However, when I attempt to append new hashes to the db variable the change does not take effect even though the efi-updatevar command indicates success.  What's really peculiar is that the append does consistently work after exactly 7 attempts of running the efi-updatevar.  I have no idea why 7 would be the magic number, but this is a VMWare only issue.  All the other platforms I've tested (HPE DL360 Gen 9 and 10, Dell R640 Gen 13 and 14, and tianocore running on qemu) work on the first append attempt as I would expect.  Is there some quirk of VMWare's Secure Boot implementation I am not taking into account or have I stumbled upon a bug?

EFI_VARIABLE_AUTHENTICATION_2