A mechanism for creating and accessing a secure storage area for firmware that stores a “Virtual ROM” module reference or pointer in the actual ROM that includes a unique identifier for the virtual ROM module to be retrieved is discussed. The actual ROM image also contains a generated unique identifier for the whole machine. In retrieving a Virtual ROM module, both the module identifier and the machine identifier are used. Once retrieved, the module is validated using a message digest stored in the Virtual ROM module reference. If required, the Virtual ROM module is then decrypted using a secret key that is stored elsewhere in the actual ROM. Updates to the Virtual ROM module are made in memory by pre-boot code. At a point in time when these updates are complete, the Virtual ROM module is written back out to the location from which it was retrieved. The Virtual ROM module reference that is in the actual ROM is updated to reflect the new message digest value and the module reference and the machine identifier used for the PC are write-disabled. Additionally, if the storage has been encrypted, and a secret key is being used, the region of the actual ROM that contains the secret key is read-disabled.