A Unified Extensible Firmware Interface (UEFI) secure boot protocol (as indicated in UEFI Specification Version 2.3.1c, Approved June 2012 or higher) provides that authenticated variables be created within a basic input/output system (BIOS) to hold signature lists for authorized software (e.g., “white lists”) and/or forbidden software (e.g., “black lists”) for access control purposes (e.g., to prevent introduction of unauthorized code into the BIOS). This approach provides the ability to authenticate UEFI images (e.g., UEFI-aware Operating System (OS) loaders) as part of a UEFI secure boot authentication process prior to loading and executing such images on a particular computing device. OS vendors or other entities with appropriate credentials may update the white and/or black lists during runtime. For example, during OS runtime, the OS may change the contents of the white and/or black lists from their respective factory default settings, altering which drivers or other software are permitted to run on a computing device. The lists or databases are typically stored in non-volatile random-access memory (NVRAM) on the BIOS. However, if the BIOS is updated (e.g., “flashed over” or otherwise erased), the contents of the lists or databases may be overwritten, thereby destroying the changes made by the OS or other authorized entity.