diff --git a/.github/workflows/linux_edk2.yml b/.github/workflows/linux_edk2.yml
index 14864a0c..4d4e5e12 100644
--- a/.github/workflows/linux_edk2.yml
+++ b/.github/workflows/linux_edk2.yml
@@ -1,4 +1,4 @@
-# Copyright (c) 2021-2022, Pete Batard <pete@akeo.ie>
+# Copyright (c) 2021-2024, Pete Batard <pete@akeo.ie>
 # SPDX-License-Identifier: BSD-3-Clause
 
 name: UEFI firmware - EDK2 build
@@ -47,9 +47,12 @@ jobs:
         mkdir keys
         # We don't really need a usable PK, so just generate a public key for it and discard the private key
         openssl req -new -x509 -newkey rsa:2048 -subj "/CN=Raspberry Pi Platform Key/" -keyout /dev/null -outform DER -out keys/pk.cer -days 7300 -nodes -sha256
-        curl -L https://go.microsoft.com/fwlink/?LinkId=321185 -o keys/ms_kek.cer
+        curl -L https://go.microsoft.com/fwlink/?LinkId=321185 -o keys/ms_kek1.cer
+        curl -L https://go.microsoft.com/fwlink/?linkid=2239775 -o keys/ms_kek2.cer
         curl -L https://go.microsoft.com/fwlink/?linkid=321192 -o keys/ms_db1.cer
         curl -L https://go.microsoft.com/fwlink/?linkid=321194 -o keys/ms_db2.cer
+        curl -L https://go.microsoft.com/fwlink/?linkid=2239776 -o keys/ms_db3.cer
+        curl -L https://go.microsoft.com/fwlink/?linkid=2239872 -o keys/ms_db4.cer
         curl -L https://uefi.org/sites/default/files/resources/dbxupdate_arm64.bin -o keys/arm64_dbx.bin
 
     - name: Build UEFI firmware
@@ -58,7 +61,7 @@ jobs:
         export PACKAGES_PATH=$WORKSPACE/edk2:$WORKSPACE/edk2-platforms:$WORKSPACE/edk2-non-osi
         export BUILD_FLAGS="-D SECURE_BOOT_ENABLE=TRUE -D INCLUDE_TFTP_COMMAND=TRUE -D NETWORK_ISCSI_ENABLE=TRUE -D SMC_PCI_SUPPORT=1"
         export TLS_DISABLE_FLAGS="-D NETWORK_TLS_ENABLE=FALSE -D NETWORK_ALLOW_HTTP_CONNECTIONS=TRUE"
-        export DEFAULT_KEYS="-D DEFAULT_KEYS=TRUE -D PK_DEFAULT_FILE=$WORKSPACE/keys/pk.cer -D KEK_DEFAULT_FILE1=$WORKSPACE/keys/ms_kek.cer -D DB_DEFAULT_FILE1=$WORKSPACE/keys/ms_db1.cer -D DB_DEFAULT_FILE2=$WORKSPACE/keys/ms_db2.cer -D DBX_DEFAULT_FILE1=$WORKSPACE/keys/arm64_dbx.bin"
+        export DEFAULT_KEYS="-D DEFAULT_KEYS=TRUE -D PK_DEFAULT_FILE=$WORKSPACE/keys/pk.cer -D KEK_DEFAULT_FILE1=$WORKSPACE/keys/ms_kek1.cer -D KEK_DEFAULT_FILE2=$WORKSPACE/keys/ms_kek2.cer -D DB_DEFAULT_FILE1=$WORKSPACE/keys/ms_db1.cer -D DB_DEFAULT_FILE2=$WORKSPACE/keys/ms_db2.cer -D DB_DEFAULT_FILE3=$WORKSPACE/keys/ms_db3.cer -D DB_DEFAULT_FILE4=$WORKSPACE/keys/ms_db4.cer -D DBX_DEFAULT_FILE1=$WORKSPACE/keys/arm64_dbx.bin"
         # EDK2's 'build' command doesn't play nice with spaces in environmnent variables, so we can't move the PCDs there...
         source edk2/edksetup.sh
         for BUILD_TYPE in DEBUG RELEASE; do