How can I sign my own kernel modules?


How can I sign my own kernel or GRUB?


Why not disable Secure Boot?

UEFI Secure Boot genuinely protects you to some degree against booting a malicious copy of the bootloader or kernel, if you were to get those from a bad update (from a malicious PPA, or some other third-party archive). It does not protect against people with physical access to the system from going in to change things, but this already gives you a higher level of assurance that your system's early boot environment has not been tempered with.

Is it safe to keep the Machine-Owner Key password-less and unencrypted on disk?

We feel it is sufficiently safe. The MOK only allows signing kernel modules, and if someone has enough access (meaning, root access) to the system, they have already compromised it.

I use special hardware that does not include Microsoft keys, how can I still use Secure Boot?

You could import the Microsoft certificates, if you're lazy and decide that you trust Microsoft sufficiently. The certificates are available here:


Otherwise, you may create your own signing certificates and sign your own files.

UEFI/SecureBoot/FAQ (last edited 2017-12-06 16:34:06 by cyphermox)