ELevate with SecureBoot

We have hundreds of Intel NUCs needing to get off of CentOS 7 due to the EOL. We were thrilled to discover ELevate and created a script to roll it out to these systems. In our initial testing, everything proceeds perfectly on virtual systems (which have SecureBoot disabled by default), however, once we tried to deploy it to a physical system, we encountered the error “/vmlinuz-upgrade.x86_64 has invalid signature. you need to load the kernel first.”

Clearly SecureBoot has stopped the vmlinuz-upgrade initramfs kernel from booting. But, upon checking sbverify, I’m seeing that it is actually signed by DigiCert with a G4 Code Signing certificate so I’m wondering what’s stopping it.

I also failed to find any mention of SecureBoot in the ELevate documentation specifically. Is SecureBoot even supported?

Would it suffice to simply add the public key to the MOK?

Has anyone else encountered this issue and is there any way to do this without having to boot to UEFI and disable SecureBoot across hundreds of systems?

Thanks in advance.