• cmhe@lemmy.world
    link
    fedilink
    English
    arrow-up
    1
    ·
    9 hours ago

    This is the MOK (Machine Owner Key), which is part of the shim bootloader, not UEFI secure boot.

    The shim bootloader is signed by Microsoft UEFI secure boot keys, so Microsoft is the root of trust there.

    On some systems you can delete all Secure Boot keys, and provision your own, then you don’t need the shim bootloader and can sign your own bootloader or Linux kernel directly. Windows would not be able to boot on those systems.