Machine Owner Key (MOK)

Multiple Linux distributions have implemented UEFI Secure Boot, but this creates problems deploying 3rd party modules and custom-built kernels alongside components signed by the UEFI certificate Authority (CA). The Machine Owner Key MOK concept can be used with a signed shim loader to enable key management at the user/sysadmin level.
Figure 3-1 and Table 3-1 provide an overview of MOK.
Figure 3-1: Linux MOK Boot, (source: “UEFI Secure Boot Webinar”)
Table 3-1: Linux MOK Boot
Item
Entity
Provider
Location
TP
OS Kernel Verification
OSV
External storage
CDI
Shim
OSV
External storage
​
MOK list
User
Variable
UDI
OS Kernel
User
External storage

Additional Secure Boot Chain Implementations

coreboot

Last modified 2yr ago

Item	Entity	Provider	Location
TP	OS Kernel Verification	OSV	External storage
CDI	Shim	OSV	External storage
	MOK list	User	Variable
UDI	OS Kernel	User	External storage