Machine Owner Key (MOK)
Multiple Linux distributions have implemented UEFI Secure Boot, but this creates problems deploying 3rd party modules and custom-built kernels alongside components signed by the UEFI certificate Authority (CA). The Machine Owner Key MOK concept can be used with a signed shim loader to enable key management at the user/sysadmin level.
Figure 3-1 and Table 3-1 provide an overview of MOK.
Figure 3-1: Linux MOK Boot, (source: “UEFI Secure Boot Webinar”)
Table 3-1: Linux MOK Boot
Item | Entity | Provider | Location |
---|---|---|---|
TP | OS Kernel Verification | OSV | External storage |
CDI | Shim | OSV | External storage |
MOK list | User | Variable | |
UDI | OS Kernel | User | External storage |