diff --git a/MokVars.txt b/MokVars.txt
index baf8db9a..71b42c82 100644
--- a/MokVars.txt
+++ b/MokVars.txt
@@ -63,28 +63,33 @@ State variables:
 MokList: A list of authorized keys and hashes. An EFI_SIGNATURE_LIST
 as described in the UEFI specification. BS,NV
 
-MokListRT: A copy of MokList made available to the kernel at runtime. RT
+MokListRT: A copy of MokList made available to the kernel at runtime. BS,RT
 
 MokListX: A list of forbidden keys and hashes.  An EFI_SIGNATURE_LIST
 as described in the UEFI specification. BS,NV
 
-MokListXRT: A copy of MokListX made available to the kernel at runtime. RT
+MokListXRT: A copy of MokListX made available to the kernel at runtime. BS,RT
 
 MokSBState: An 8-bit unsigned integer. If 1, shim will switch to
 insecure mode. BS,NV
 
+MokSBStateRT: A copy of MokSBState made available to the kernel at runtime.
+This allows the OS to query the shim secure mode setting for its own
+verification purposes. BS,RT
+
 MokDBState: An 8-bit unsigned integer. If 1, shim will not use db for
 verification. BS,NV
 
-MokIgnoreDB: An 8-bit unsigned integer.  This allows the OS to query whether
-or not to import DB certs for its own verification purposes.
+MokIgnoreDB: A copy of MokDBState made available to the kernel at runtime.
+This allows the OS to query whether or not to import DB certs for its own
+verification purposes. BS,RT
 
 MokPWStore: A SHA-256 representation of the password set by the user
 via MokPW. The user will be prompted to enter this password in order
-to interact with MokManager.
+to interact with MokManager. BS,NV
 
 MokListTrusted: An 8-bit unsigned integer.  If 1, it signifies to Linux
 to trust CA keys in the MokList. BS,NV
 
 MokListTrustedRT: A copy of MokListTrusted made available to the kernel
-at runtime. RT
+at runtime. BS,RT