diff --git a/blog/posts/secure-boot.md b/blog/posts/secure-boot.md
index 0c0f41c4f..27051eb54 100644
--- a/blog/posts/secure-boot.md
+++ b/blog/posts/secure-boot.md
@@ -73,4 +73,6 @@ graph LR
   E[Secure Firmware Update Key]
 ```
 
-The PK acts as the root of trust for the KEK which in turn verifies both the signature database and revoked signature database.
\ No newline at end of file
+The PK acts as the root of trust for the KEK which in turn verifies both the signature database and revoked signature database. They're all stored in non-volatile memory (NVRAM) so they can be erased and replaced with different keys if desired.
+
+The secure firmware update key is typically stored in such a way that it's non-writable and protected by hardware, that way in order to flash new firmware, you always need to verify that the firmware is signed by the OEM. This process is separate from Secure Boot.
\ No newline at end of file