From 5b850c4d272eba785392115afb49c44e821f316c Mon Sep 17 00:00:00 2001
From: fria <138676274+friadev@users.noreply.github.com>
Date: Mon, 27 Oct 2025 06:55:14 -0500
Subject: [PATCH] add more detail about secure boot

---
 blog/posts/secure-boot.md | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/blog/posts/secure-boot.md b/blog/posts/secure-boot.md
index 0c0f41c4f..27051eb54 100644
--- a/blog/posts/secure-boot.md
+++ b/blog/posts/secure-boot.md
@@ -73,4 +73,6 @@ graph LR
   E[Secure Firmware Update Key]
 ```
 
-The PK acts as the root of trust for the KEK which in turn verifies both the signature database and revoked signature database.
\ No newline at end of file
+The PK acts as the root of trust for the KEK which in turn verifies both the signature database and revoked signature database. They're all stored in non-volatile memory (NVRAM) so they can be erased and replaced with different keys if desired.
+
+The secure firmware update key is typically stored in such a way that it's non-writable and protected by hardware, that way in order to flash new firmware, you always need to verify that the firmware is signed by the OEM. This process is separate from Secure Boot.
\ No newline at end of file