From 3a7456337d760dbb10d4bdf4218af3a58d7669bb Mon Sep 17 00:00:00 2001
From: fria <138676274+friadev@users.noreply.github.com>
Date: Mon, 27 Oct 2025 07:29:41 -0500
Subject: [PATCH] update on microsoft KEK

---
 blog/posts/secure-boot.md | 6 +++++-
 1 file changed, 5 insertions(+), 1 deletion(-)

diff --git a/blog/posts/secure-boot.md b/blog/posts/secure-boot.md
index e6d158f1b..8d5fb3cb3 100644
--- a/blog/posts/secure-boot.md
+++ b/blog/posts/secure-boot.md
@@ -81,4 +81,8 @@ The design of UEFI Secure Boot allows for users to delete the keys all the way u
 
 Deleting the PK typically puts the system into Setup Mode, where you'll need to enroll a new PK.
 
-The PK allows updates to the KEK and by extension the signature databases so erasing it effectively disables Secure Boot until a new key is added.
\ No newline at end of file
+The PK allows updates to the KEK and by extension the signature databases so erasing it effectively disables Secure Boot until a new key is added.
+
+Microsoft provides its own PK for OEMs to use if they don't want the responsibilty of managing the keys themselves. They also provide their own KEK via their KEK certificate authority. For Windows, it's required in order to update the database for newer signed images of Windows.
+
+It also allows booting into non-Microsoft bootloaders like shim, allowing many Linux distributions to support secure boot without any extra configuration.
\ No newline at end of file