-This directory contains known public keys for Linux distributions and other
-parties that sign boot loaders and kernels that should be verifiable by
-shim. I'm providing these keys as a convenience to enable easy installation
-of keys should you replace your distribution's version of shim with another
-one and therefore require adding its public key as a machine owner key
-(MOK).
+This directory contains known public keys for Linux distributions and from
+other parties that sign boot loaders and kernels that should be verifiable
+by shim. I'm providing these keys as a convenience to enable easy
+installation of keys should you replace your distribution's version of shim
+with another one and therefore require adding its public key as a machine
+owner key (MOK).
Files come with three extensions. A filename ending in .crt is a
certificate file that can be used by sbverify to verify the authenticity of
- altlinux.cer -- The public key for ALT Linux (http://www.altlinux.com).
- canonical-uefi-ca.crt & canonical-uefi-ca.der -- Canonical's public key,
- used to sign Ubuntu boot loaders and kernels.
-
-- fedora-ca.cer & fedora-ca.crt -- Fedora's public key, used to sign Fedora
- 18's version of shim and Fedora 18's kernels.
+ matched to the one used to sign Ubuntu boot loaders and kernels.
+
+- fedora-ca.cer & fedora-ca.crt -- Fedora's public key, matched to the one
+ used used to sign Fedora 18's version of shim and Fedora 18's kernels.
+
+- microsoft-kekca-public.der -- Microsoft's key exchange key (KEK), which
+ is present on most UEFI systems with Secure Boot. The purpose of
+ Microsoft's KEK is to enable Microsoft tools to update Secure Boot
+ variables. There is no reason to add it to your MOK list.
+
+- microsoft-pca-public.der -- A Microsoft public key, matched to the one
+ used to sign Microsoft's own boot loader. You might include this key in
+ your MOK list if you replace the keys that came with your computer with
+ your own key but still want to boot Windows. There's no reason to add it
+ to your MOK list if your computer came this key pre-installed and you did
+ not replace the default keys.
+
+- microsoft-uefica-public.der -- A Microsoft public key, matched to the one
+ Microsoft uses to sign third-party applications and drivers. If you
+ remove your default keys, adding this one to your MOK list will enable
+ you to launch third-party boot loaders and other tools signed by
+ Microsoft. There's no reason to add it to your MOK list if your computer
+ came this key pre-installed and you did not replace the default keys.
- openSUSE-UEFI-CA-Certificate.cer & openSUSE-UEFI-CA-Certificate.crt --
- Public keys used to sign OpenSUSE 12.3.
+ Public keys matched to the ones used to sign OpenSUSE 12.3.
- refind.cer & refind.crt -- My own (Roderick W. Smith's) public key,
- used to sign refind_x64.efi and the 64-bit rEFInd drivers.
+ matched to the one used to sign refind_x64.efi and the 64-bit rEFInd
+ drivers.
- SLES-UEFI-CA-Certificate.cer & SLES-UEFI-CA-Certificate.crt -- The
Public key for SUSE Linux Enterprise Server.