Hi Matthew, I have been thinking about this issue a lot and the only solution I have found that is both good for Linux and Windows would be to ask for the UEFI admin password when attempting to boot from an untrusted kernel. Once the password has been verified, the kernel could be automatically signed by the TPM and the password would never be asked again. That should be secure since the UEFI code is signed (no fake window here) and an already-trusted OS is unlikely to suddenly ask for the password by copying the password window's style. I personally would like something like this to happen instead of the key nightmare we are going to see but I understand that companies would like to be able to sign one kernel and distribute it to all their client instead of having to write the UEFI admin password every time an update occurs. Is there any silly case I forgot to take into account? MùPùF (sorry, no account)