diff --git a/.github/workflows/mkosi.yml b/.github/workflows/mkosi.yml
index 0c732cd0f45..a71ae3fd39b 100644
--- a/.github/workflows/mkosi.yml
+++ b/.github/workflows/mkosi.yml
@@ -76,7 +76,7 @@ jobs:
 
     steps:
     - uses: actions/checkout@9bb56186c3b09b4f86b1c65136769dd318469633
-    - uses: systemd/mkosi@ea1b00c3dba12662214b2e95dd1fe837cb13664b
+    - uses: systemd/mkosi@1445b389750af22756c0fde6facc1f2f343340b4
 
     - name: Free disk space
       run: |
@@ -99,7 +99,9 @@ jobs:
         ToolsTreeDistribution=fedora
         QemuVsock=yes
         # Sometimes we run on a host with /dev/kvm, but it is broken, so explicitly disable it
-        QemuKvm=no
+        QemuKvm=yes
+        # TODO: Drop once https://bugs.launchpad.net/ubuntu/+source/linux/+bug/2038777 is fixed in Github Actions
+        QemuFirmware=uefi
         Ephemeral=yes
         EOF
 
diff --git a/mkosi.images/base/mkosi.extra/usr/lib/systemd/mkosi-check-and-shutdown.sh b/mkosi.images/base/mkosi.extra/usr/lib/systemd/mkosi-check-and-shutdown.sh
index e0fcf304988..d2800a04a9f 100755
--- a/mkosi.images/base/mkosi.extra/usr/lib/systemd/mkosi-check-and-shutdown.sh
+++ b/mkosi.images/base/mkosi.extra/usr/lib/systemd/mkosi-check-and-shutdown.sh
@@ -4,8 +4,9 @@
 systemctl --failed --no-legend | tee /failed-services
 
 # Check that secure boot keys were properly enrolled.
-if ! systemd-detect-virt --container; then
-    cmp /sys/firmware/efi/efivars/SecureBoot-8be4df61-93ca-11d2-aa0d-00e098032b8c <(printf '\6\0\0\0\1')
+if ! systemd-detect-virt --container && \
+   cmp /sys/firmware/efi/efivars/SecureBoot-8be4df61-93ca-11d2-aa0d-00e098032b8c <(printf '\6\0\0\0\1')
+then
     cmp /sys/firmware/efi/efivars/SetupMode-8be4df61-93ca-11d2-aa0d-00e098032b8c <(printf '\6\0\0\0\0')
 
     if command -v sbsign &>/dev/null; then
diff --git a/src/boot/efi/boot.c b/src/boot/efi/boot.c
index d64e560a527..6c0f956c32f 100644
--- a/src/boot/efi/boot.c
+++ b/src/boot/efi/boot.c
@@ -2376,7 +2376,7 @@ static EFI_STATUS image_start(
          * so). */
         _cleanup_free_ char16_t *options = xstrdup16(options_initrd ?: entry->options_implied ? NULL : entry->options);
 
-        if (!is_confidential_vm()) {
+        if (entry->type == LOADER_LINUX && !is_confidential_vm()) {
                 const char *extra = smbios_find_oem_string("io.systemd.boot.kernel-cmdline-extra");
                 if (extra) {
                         _cleanup_free_ char16_t *tmp = TAKE_PTR(options), *extra16 = xstr8_to_16(extra);