Create, manage and sign.
MOK or Machine Owner Key is a part of a binary set that is signed by Microsoft to aid none Windows operating systems to be able to boot without UEFI Secure Boot from being disabled. The main part is the shim.efi bootloader which only has one job and that is to loader either the primary bootloader or kernel, but only if the binary and/or kernel modules are signed and the certificate is registered. If the.
The downside to MOK is that it is not as secure as the certificates that are installed in the UEFI firmware. With some PC's those certificates can be changes. however, doing so can be process and may end in a computer that cannot boot, so only do so at your own risk.
In order to understand what MOK is first you must understand how Secure Boot works. The first step in the boot process is that the BIOS looks for a bootable binary. Once one is located then it attempts to load what ever it may be, in most cases this a a bootloader, but before it is loader the BIOS checks if it is signed and validates the signed file against a public certificate. If however, the file is not signed or that if the key that was use does not match then the system cannot boot.
Bootloader not signed or signed with wrong certificate.
For operating systems like Ubuntu, Fadora and openSUSE shim is the UEFI signed bootlaoder with only two jobs. Verifying that the primary bootloader (usually GRUB) is signed and that the certificate matches what is loaded into its firmware. If the binary passes the mustard then the initram or kernel is loaded. GRUB by its self doesn't require that a kernel and/or modules be signed unless it is configured to.
If GRUB is not set to load only signed kernels and modules, this can be a small security risk.
Mokutil-key was a bash script that was written very dirtily and did not receive any updates for over a year. Mostly because I switched to Arch and then got stuck on Windows. Sadly, I'm still stuck on Windows, but that is no reason to not do anything was a script that is a fix for a simple problem. So after some time gone I started reworking the script file and soon realized that it was becoming a different animal all together and like everything in natures evolves Mokutil-key had to evolve and so mokey was born.
Most Linux base distributions use MOK for booting with Secure Boot, with the exception of Arch, but that is not to say that it cannot be done. To learn how to setup Secure Boot on Arch follow this guide.
Boot order for UEFI and SHIM.