== How can I sign my own kernel modules? ==

[[UEFI/SecureBoot/Signing]]


== How can I sign my own kernel or GRUB? ==

[[UEFI/SecureBoot/Signing]]


== Why not disable Secure Boot? ==

UEFI Secure Boot genuinely protects you to some degree against booting a malicious copy of the bootloader or kernel, if you were to get those from a bad update (from a malicious PPA, or some other third-party archive). It does not protect against people with physical access to the system from going in to change things, but this already gives you a higher level of assurance that your system's early boot environment has not been tempered with.

== Is it safe to keep the Machine-Owner Key password-less and unencrypted on disk? ==

We feel it is sufficiently safe. The MOK only allows signing kernel modules, and if someone has enough access (meaning, root access) to the system, they have already compromised it.

== I use special hardware that does not include Microsoft keys, how can I still use Secure Boot? ==

You could import the Microsoft certificates, if you're lazy and decide that you trust Microsoft sufficiently. The certificates are available here:

https://git.kernel.org/pub/scm/linux/kernel/git/jejb/efitools.git/tree/

Otherwise, you may [[UEFI/SecureBoot/KeyManagement/KeyGeneration|create your own signing certificates]] and sign your own files.