diff --git a/edk2.spec b/edk2.spec
index ecf952d..e753e65 100644
--- a/edk2.spec
+++ b/edk2.spec
@@ -1,7 +1,13 @@
 %global edk2_date        20171011
 %global edk2_githash     92d07e4
 %global openssl_version  1.1.0e
+%global qosb_version     1.1.2
 
+%define qosb_testing 0
+
+%ifarch x86_64
+%define qosb_testing 1
+%endif
 %if 0%{?fedora:1}
 %define cross 1
 %endif
@@ -29,7 +35,7 @@
 
 Name:           edk2
 Version:        %{edk2_date}git%{edk2_githash}
-Release:        5%{dist}
+Release:        6%{dist}
 Summary:        EFI Development Kit II
 
 Group:          Applications/Emulators
@@ -38,6 +44,7 @@ URL:            http://www.tianocore.org/edk2/
 Source0:        edk2-%{edk2_date}-%{edk2_githash}.tar.xz
 Source1:        openssl-%{openssl_version}-hobbled.tar.xz
 Source2:        ovmf-whitepaper-c770f8c.txt
+Source3:        https://github.com/puiterwijk/qemu-ovmf-secureboot/archive/v%{qosb_version}/qemu-ovmf-secureboot-%{qosb_version}.tar.gz
 Source10:       hobble-openssl
 Source11:       build-iso.sh
 Source12:       update-tarball.sh
@@ -110,6 +117,19 @@ BuildRequires:  nasm
 BuildRequires:  qemu-img
 BuildRequires:  genisoimage
 
+# These are for QOSB
+BuildRequires:  python3-requests
+BuildRequires:  qemu
+%if %{?qosb_testing}
+# This is used for testing the enrollment: builds are run in a chroot, lacking
+# a kernel. The testing is only performed on x86_64 for now, but we can't make
+# the BuildRequires only on a specific arch, as that'd come through in the SRPM
+# NOTE: The actual enrollment needs to happen in all builds for all architectures,
+# because OVMF is built as noarch, which means that koji enforces that the build
+# results don't actually differ per arch, and then it picks a random arches' build
+# for the actual RPM.
+BuildRequires:  kernel-core
+%endif
 
 %description
 EDK II is a development code base for creating UEFI drivers, applications
@@ -141,6 +161,15 @@ BuildArch:      noarch
 This package documents the tools that are needed to
 build EFI executables and ROMs using the GNU tools.
 
+%package qosb
+Summary:        Tool to enroll secureboot
+Group:          Development/Tools
+Buildarch:      noarch
+%description qosb
+This package contains QOSB (QEMU OVMF Secure Boot), which can enroll OVMF
+variable files to enforce Secure Boot.
+
+
 %if 0%{?build_ovmf_x64:1}
 %package ovmf
 Summary:        Open Virtual Machine Firmware
@@ -200,6 +229,11 @@ cp -a -- %{SOURCE2} .
 (cd .. && tar -xvf %{SOURCE1})
 cp CryptoPkg/Library/OpensslLib/openssl/LICENSE LICENSE.openssl
 
+# Extract QOSB
+tar -xvf %{SOURCE3}
+mv qemu-ovmf-secureboot-%{qosb_version}/README.md README.qosb
+mv qemu-ovmf-secureboot-%{qosb_version}/LICENSE LICENSE.qosb
+
 %autopatch -p1
 base64 --decode < MdeModulePkg/Logo/Logo-OpenSSL.bmp.b64 > MdeModulePkg/Logo/Logo-OpenSSL.bmp
 
@@ -264,6 +298,15 @@ cp Build/Ovmf3264/*/FV/OVMF_CODE.fd ovmf/OVMF_CODE.secboot.fd
 cp Build/Ovmf3264/*/X64/Shell.efi ovmf/
 cp Build/Ovmf3264/*/X64/EnrollDefaultKeys.efi ovmf
 sh %{_sourcedir}/build-iso.sh ovmf/
+
+# Build enrolled VARS file
+python3 qemu-ovmf-secureboot-%{qosb_version}/ovmf-vars-generator \
+	--qemu-binary /usr/bin/qemu-system-x86_64 \
+	--skip-testing \
+	--ovmf-binary ovmf/OVMF_CODE.secboot.fd \
+	--ovmf-template-vars ovmf/OVMF_VARS.fd \
+	--uefi-shell-iso ovmf/UefiShell.iso \
+	ovmf/OVMF_VARS.secboot.fd
 %endif
 
 
@@ -306,6 +349,23 @@ dd of="arm/QEMU_EFI-pflash.raw" if="arm/QEMU_EFI.fd" conv=notrunc
 dd of="arm/vars-template-pflash.raw" if="/dev/zero" bs=1M count=64
 %endif
 
+%check
+%if 0%{?build_ovmf_x64:1}
+%if 0%{?qosb_testing}
+# Verify enrolled VARS file
+python3 qemu-ovmf-secureboot-%{qosb_version}/ovmf-vars-generator \
+	--qemu-binary /usr/bin/qemu-system-x86_64 \
+	--skip-enrollment \
+	--print-output \
+	--ovmf-binary ovmf/OVMF_CODE.secboot.fd \
+	--ovmf-template-vars ovmf/OVMF_VARS.fd \
+	--uefi-shell-iso ovmf/UefiShell.iso \
+	--no-download \
+	--kernel-path `rpm -ql kernel-core | grep "\/vmlinuz$" -m 1` \
+	ovmf/OVMF_VARS.secboot.fd
+%endif
+%endif
+
 %install
 mkdir -p %{buildroot}%{_bindir} \
          %{buildroot}%{_datadir}/%{name}/Conf \
@@ -337,6 +397,7 @@ mkdir %{buildroot}/usr/share/OVMF
 ln -sf ../%{name}/ovmf/OVMF_CODE.fd                %{buildroot}/usr/share/OVMF
 ln -sf ../%{name}/ovmf/OVMF_CODE.secboot.fd        %{buildroot}/usr/share/OVMF
 ln -sf ../%{name}/ovmf/OVMF_VARS.fd                %{buildroot}/usr/share/OVMF
+ln -sf ../%{name}/ovmf/OVMF_VARS.secboot.fd        %{buildroot}/usr/share/OVMF
 ln -sf ../%{name}/ovmf/UefiShell.iso               %{buildroot}/usr/share/OVMF
 %endif
 %if 0%{?build_ovmf_ia32:1}
@@ -354,6 +415,8 @@ cp -a arm %{buildroot}/usr/share/%{name}
 ln -sf ../%{name}/arm/QEMU_EFI-pflash.raw          %{buildroot}/usr/share/AAVMF/AAVMF32_CODE.fd
 %endif
 
+install qemu-ovmf-secureboot-%{qosb_version}/ovmf-vars-generator %{buildroot}%{_bindir}
+
 
 %files tools
 %license License.txt
@@ -397,6 +460,11 @@ ln -sf ../%{name}/arm/QEMU_EFI-pflash.raw          %{buildroot}/usr/share/AAVMF/
 %files tools-doc
 %doc BaseTools/UserManuals/*.rtf
 
+%files qosb
+%license LICENSE.qosb
+%doc README.qosb
+%{_bindir}/ovmf-vars-generator
+
 %if 0%{?build_ovmf_x64:1}
 %files ovmf
 %license OvmfPkg/License.txt
@@ -448,6 +516,10 @@ ln -sf ../%{name}/arm/QEMU_EFI-pflash.raw          %{buildroot}/usr/share/AAVMF/
 
 
 %changelog
+* Fri Mar 30 2018 Patrick Uiterwijk <puiterwijk@redhat.com> - 20171011git92d07e4-6
+- Add qemu-ovmf-secureboot (qosb)
+- Generate pre-enrolled Secure Boot OVMF VARS files
+
 * Wed Mar 07 2018 Paolo Bonzini <pbonzini@redhat.com> - 20171011git92d07e4-5
 - Fix GCC 8 compilation
 - Replace dosfstools and mtools with qemu-img vvfat