Machine Owner Key (MOK)

Multiple Linux distributions have implemented UEFI Secure Boot, but this creates problems deploying 3rd party modules and custom-built kernels alongside components signed by the UEFI certificate Authority (CA). The Machine Owner Key MOK concept can be used with a signed shim loader to enable key management at the user/sysadmin level.

Figure 3-1 and Table 3-1 provide an overview of MOK.

Figure 3-1: Linux MOK Boot, (source: “UEFI Secure Boot Webinar”)

Table 3-1: Linux MOK Boot

Item

Entity

Provider

Location

TP

OS Kernel Verification

OSV

External storage

CDI

Shim

OSV

External storage

MOK list

User

Variable

UDI

OS Kernel

User

External storage