On Tue, Feb 08, 2022 at 12:01:22PM +0100, Julian Andres Klode wrote: > It's worth pointing out that in Ubuntu, the generated MOK key > is for module signing only (extended key usage 1.3.6.1.4.1.2312.16.1.2), > kernels signed with it will NOT be bootable. Why should these be separate keys? There's no meaningful security boundary between a kernel module and the ernel itself; a kernel modulecan, for example, write to CR3, and that's game over for any pretence at separation.