diff --git a/build_library/qemu_template.sh b/build_library/qemu_template.sh
index 3118ef96c9..50c254fd46 100755
--- a/build_library/qemu_template.sh
+++ b/build_library/qemu_template.sh
@@ -155,10 +155,14 @@ if [ "${SAFE_ARGS}" -eq 1 ]; then
 else
     case "${VM_BOARD}+$(uname -m)" in
         amd64-usr+x86_64)
+            set -- -global ICH9-LPC.disable_s3=1 \
+                   -global driver=cfi.pflash01,property=secure,value=on \
+                   "$@"
             # Emulate the host CPU closely in both features and cores.
-            set -- -machine accel=kvm:hvf:tcg -cpu host -smp "${VM_NCPUS}" "$@" ;;
+            set -- -machine q35,accel=kvm:hvf:tcg,smm=on -cpu host -smp "${VM_NCPUS}" "$@"
+            ;;
         amd64-usr+*)
-            set -- -machine pc-q35-2.8 -cpu kvm64 -smp 1 -nographic "$@" ;;
+            set -- -machine q35 -cpu kvm64 -smp 1 -nographic "$@" ;;
         arm64-usr+aarch64)
             set -- -machine virt,accel=kvm,gic-version=3 -cpu host -smp "${VM_NCPUS}" -nographic "$@" ;;
         arm64-usr+*)
@@ -215,8 +219,8 @@ fi
 
 if [ -n "${VM_PFLASH_RO}" ] && [ -n "${VM_PFLASH_RW}" ]; then
     set -- \
-        -drive if=pflash,file="${SCRIPT_DIR}/${VM_PFLASH_RO}",format=raw,readonly=on \
-        -drive if=pflash,file="${SCRIPT_DIR}/${VM_PFLASH_RW}",format=raw "$@"
+        -drive if=pflash,unit=0,file="${SCRIPT_DIR}/${VM_PFLASH_RO}",format=raw,readonly=on \
+        -drive if=pflash,unit=1,file="${SCRIPT_DIR}/${VM_PFLASH_RW}",format=raw "$@"
 fi
 
 if [ -n "${IGNITION_CONFIG_FILE}" ]; then
diff --git a/build_library/vm_image_util.sh b/build_library/vm_image_util.sh
index 3f50810243..70c4564ef3 100644
--- a/build_library/vm_image_util.sh
+++ b/build_library/vm_image_util.sh
@@ -821,14 +821,18 @@ _write_qemu_uefi_conf() {
 
 _write_qemu_uefi_secure_conf() {
     local flash_rw="$(_dst_name "_efi_vars.fd")"
+    local flash_ro="$(_dst_name "_efi_code.fd")"
+    local script="$(_dst_dir)/$(_dst_name ".sh")"
 
     _write_qemu_uefi_conf
+    cp "/usr/share/edk2-ovmf/OVMF_CODE.secboot.fd" "$(_dst_dir)/${flash_ro}"
     cert-to-efi-sig-list "/usr/share/sb_keys/PK.crt" "${VM_TMP_DIR}/PK.esl"
     cert-to-efi-sig-list "/usr/share/sb_keys/KEK.crt" "${VM_TMP_DIR}/KEK.esl"
     cert-to-efi-sig-list "/usr/share/sb_keys/DB.crt" "${VM_TMP_DIR}/DB.esl"
     flash-var "$(_dst_dir)/${flash_rw}" "PK" "${VM_TMP_DIR}/PK.esl"
     flash-var "$(_dst_dir)/${flash_rw}" "KEK" "${VM_TMP_DIR}/KEK.esl"
     flash-var "$(_dst_dir)/${flash_rw}" "db" "${VM_TMP_DIR}/DB.esl"
+    sed -e "s%^SECURE_BOOT=.*%SECURE_BOOT=1%" -i "${script}"
 }
 
 _write_pxe_conf() {