> No reason to? How can I configure an off the shelf system originally > sold with windows 8 installed to boot in UEFI secure boot mode using > shim without trusting Microsoft's key? Assuming its an x86 and a PC class platform and thus should allow you to disable secure boot mode then you disable secure boot mode and boot in sane PC mode. You then jump through a collection of hoops to sign all your OS stuff, your ROMs and a few other things with a new key, remove the MS key and then "secure" boot it. That will also stop random people demonstrating how secure your "secure" boot is by walking up to your box and installing Windows 8 over your distribution by reformatting your hard drive and probably block a wide range of interesting law enforcement and other tools some of which will inevitably fall into the wrong hands. A lot of the work there is the mechanising of all of the hoop jumping and key management, but there isn't an intrinsic reason you can't turn this into a nice clean click and point self-sign my PC UI. There are some interesting uses for self signed keys or having your own corporate key included in your builds as a big company. One thing it solves if you do it with Linux and an own key is being able to remote install securely over a network which right now for all OS's and PC class devices is a problem as you have no way to verify the image. Alan -- To unsubscribe from this list: send the line "unsubscribe linux-efi" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html