Machine Owner Key (MOK)
Multiple Linux distributions have implemented UEFI Secure Boot, but this creates problems deploying 3rd party modules and custom-built kernels alongside components signed by the UEFI certificate Authority (CA). The Machine Owner Key MOK concept can be used with a signed shim loader to enable key management at the user/sysadmin level.
Figure 3-1 and Table 3-1 provide an overview of MOK.

Figure 3-1: Linux MOK Boot, (source: “UEFI Secure Boot Webinar”)

Table 3-1: Linux MOK Boot
Item
Entity
Provider
Location
TP
OS Kernel Verification
OSV
External storage
CDI
Shim
OSV
External storage
MOK list
User
Variable
UDI
OS Kernel
User
External storage