• 80 Posts
  • 1.09K Comments
Joined 2 年前
cake
Cake day: 2023年9月29日

help-circle




  • From the first post in this chain

    That said, I’ve always just enrolled my own keys. I know some other distros that make you enroll their keys as well like Bazzite. At least that way you don’t depend on Microsoft’s keys and shim or anything, clean proper secure boot straight into UKI.

    I didn’t start talking about it, this was many comments above




  • I don’t think you understand what “enrolling your own keys” means in the context of Secure Boot.

    The key affected here is specifically for the Linux shim signed by Microsoft. It is used by GRUB and some distros to work with Secure Boot.

    Enrolling your own key means you add a new certificate to the key store. This is completely separate from the one provided by Microsoft and controlled only by you. The common recommendation is to remove all built-in keys and only add your own, to make this system as secure as possible.