diff --git a/apparmor.d/profiles-s-z/sbctl b/apparmor.d/profiles-s-z/sbctl
index 4c5d62597..9dbbf0933 100644
--- a/apparmor.d/profiles-s-z/sbctl
+++ b/apparmor.d/profiles-s-z/sbctl
@@ -24,6 +24,7 @@ profile sbctl @{exec_path} {
   /{boot,efi}/EFI/{,**} rw,
   /{boot,efi}/vmlinuz-linux* rw,
   @{lib}/fwupd/efi/{,**} rw,
+  @{lib}/systemd/boot/efi/systemd-boot*.efi.signed rw,
 
   @{sys}/firmware/efi/efivars/db-@{uuid} rw,
   @{sys}/firmware/efi/efivars/KEK-@{uuid} rw,
@@ -32,6 +33,7 @@ profile sbctl @{exec_path} {
   @{sys}/firmware/efi/efivars/SetupMode-@{uuid} r,
 
   /dev/pts/@{int} rw,
+  /dev/tpmrm@{int} rw,
 
   # File Inherit
   deny network inet stream,