diff --git a/src/conf/domain_conf.c b/src/conf/domain_conf.c
index 9b82f391c4..3977b5040f 100644
--- a/src/conf/domain_conf.c
+++ b/src/conf/domain_conf.c
@@ -4876,6 +4876,16 @@ virDomainDefPostParseMemory(virDomainDef *def,
static void
virDomainDefPostParseOs(virDomainDef *def)
{
+ if (def->os.firmwareFeatures &&
+ def->os.firmwareFeatures[VIR_DOMAIN_OS_DEF_FIRMWARE_FEATURE_ENROLLED_KEYS] == VIR_TRISTATE_BOOL_YES) {
+
+ /* For all non-broken firmware builds, enrolled-keys implies
+ * secure-boot, and having the Secure Boot keys in the NVRAM file
+ * when the firmware doesn't support the Secure Boot feature doesn't
+ * make sense anyway. Reflect this fact explicitly in the XML */
+ def->os.firmwareFeatures[VIR_DOMAIN_OS_DEF_FIRMWARE_FEATURE_SECURE_BOOT] = VIR_TRISTATE_BOOL_YES;
+ }
+
if (!def->os.loader)
return;
diff --git a/tests/qemuxml2xmloutdata/firmware-auto-efi-enrolled-keys.x86_64-latest.xml b/tests/qemuxml2xmloutdata/firmware-auto-efi-enrolled-keys.x86_64-latest.xml
index aa08caa4f7..8dcc741c1e 100644
--- a/tests/qemuxml2xmloutdata/firmware-auto-efi-enrolled-keys.x86_64-latest.xml
+++ b/tests/qemuxml2xmloutdata/firmware-auto-efi-enrolled-keys.x86_64-latest.xml
@@ -8,6 +8,7 @@
hvm
+