Like… where does the default windows signing keys come from? Isn’t that like hard embedded into the BIOS/UEFI when the hardware is made? If so, how does Linux even use Secure Boot? Does it somehow replace the keys when you install a new OS?
I tried googling, but all I find is just simple pages that doesn’t have much detail.
This is a good answer.
To add, for Linux kernels, the maintainer use a shim EFI package with the distro’s keys (e.g., Canonical’s keys for Ubuntu) which loads the maintainer-signed kernel. And Microsoft signs the shim to keep the chain intact.