How do I enable UEFI secure boot for a linux build made with yocto?

I'm producing a yocto build, and want to enable UEFI Secure Boot on the intel machine I'm using. This is a pretty basic yocto build, using core-image-minimal and meta-intel. The artifacts it produces look like: ./core-image-minimal-intel-corei7-64.wic ./bzImage-intel-corei7-64.bin ./bzImage--6.1.38+git0+d62bfbd59e_11e606448a-r0-intel-corei7-64-20240208204456.bin ./core-image-minimal-intel-corei7-64.manifest ./OvmfPkKek1.crt ./OvmfPkKek1.pem ./systemd-bootx64.efi ./core-image-minimal-intel-corei7-64-20240215181510.rootfs.tar.xz ./microcode.cpio ./modules-intel-corei7-64.tgz ./core-image-minimal-intel-corei7-64-20240215181510.rootfs.manifest ./microcode_20230808.cpio ./modules--6.1.38+git0+d62bfbd59e_11e606448a-r0-intel-corei7-64-20240208204456.tgz ./bzImage ./core-image-minimal-intel-corei7-64-20240215181510.testdata.json ./grub-efi-bootx64.efi ./ovmf.vars.qcow2 ./core-image-minimal-intel-corei7-64.qemuboot.conf ./ovmf.secboot.code.qcow2 ./linuxx64.efi.stub ./OvmfPkKek1.key ./ovmf.secboot.qcow2 ./core-image-minimal-intel-corei7-64.tar.xz ./core-image-minimal-intel-corei7-64-20240215181510.rootfs.wic ./ovmf.code.qcow2 ./core-image-minimal.env ./core-image-minimal-systemd-bootdisk-microcode.wks ./ovmf.qcow2 ./core-image-minimal-intel-corei7-64-20240215181510.qemuboot.conf ./core-image-minimal-intel-corei7-64.testdata.json My boot partition looks like: ./loader ./loader/loader.conf ./loader/entries ./loader/entries/boot.conf ./EFI ./EFI/BOOT ./EFI/BOOT/bootx64.efi ./bzImage I can't figure out how to enable secure boot using these files. There's an option to enroll a signature, and when I do that using the bootx64.efi file, and then try and boot, I get some sort of bzImage error, and then something about a security policy violation. I get similar (but different) errors when I try and do the same process on a random Kali linux install off of a USB drive. There are also uefi options like "enroll signature", "enroll PK", "enroll KEK", etc., and I tried these hoping to be able to select those OvmfPkKek1* files yocto is producing, assuming those are the keys, but they don't show up on disk when browsing my boot partition via the uefi interface, even though I copied them over. I'm not sure why. Any ideas how I make this install work with secure boot?