根據 Ubuntu 官網
Testing Secure Boot

1. 預裝 Windows 8 電腦 使用的金鑰

Systems shipping with Windows 8 will typically use the following:
...OEM key in PK
...'Microsoft Corporation KEK CA' key in KEK
...'Microsoft Windows Production PCA' and 'Microsoft Corporation UEFI CA' keys in DB (note, the 'Microsoft Corporation UEFI CA' is not guaranteed to be present in DB-- while recommended, this is EFI firmware vendor/OEM dependent)

2. Ubuntu 使用 已經 微軟簽證的 shim 金鑰 進行一連串 在 Grub 2 裏面的簽證 (沒看到直接使用經 微軟 簽證的金鑰)

...In order to boot on the widest range of systems, Ubuntu uses the following chain of trust:
...Microsoft signs Canonical's 'shim' 1st stage bootloader with their 'Microsoft Corporation UEFI CA'. When the system boots and Secure Boot is enabled, firmware verifies that this 1st stage bootloader (from the 'shim-signed' package) is signed with a key in DB (in this case 'Microsoft Corporation UEFI CA')
...The second stage bootloader (grub-efi-amd64-signed) is signed with Canonical's 'Canonical Ltd. Secure Boot Signing' key. The shim 1st stage bootloader verifies that the 2nd stage grub2 bootloader is properly signed.
...The 2nd stage grub2 bootloader boots an Ubuntu kernel (as of 2012/11, if the kernel (linux-signed) is signed with the 'Canonical Ltd. Secure Boot Signing' key, then grub2 will boot the kernel which will in turn apply quirks and call ExitBootServices. If the kernel is unsigned, grub2 will call ExitBootServices before booting the unsigned kernel)
...If signed kernel modules are supported, the signed kernel will verify them during kernel boot

3. 建議 使用者 使用 2. 的金鑰 再自己產生自己的金鑰 來安裝 真正屬於他自己的 Secure Boot 電腦

Since the above gives the ability to control boot to the OEM and Microsoft, users may want to:
...install their own key in PK, KEK and DB, then re-sign grub2 and use it without shim (and optionally sign the kernel with their own key)
...install their own key in PK and KEK, Canonical's 'Canonical Ltd. Master Certificate Authority' key in KEK and DB and Microsoft's keys in KEK (for updates to DBX). This gives some control of boot to Canonical, but allows for the grub-efi-amd64-signed and linux-signed packages and any DB/DBX updates from Microsoft and Canonical to work without re-signing.
...When testing, a minimum of shim boot, Canonical-signed grub2 boot and user-signed grub2 boot should be covered.

4. 未來再出版的 Ubuntu 會繼續 讓 上面的程序 更簡單

IMPORTANT: Canonical's Secure Boot implementation is primarily about hardware-enablement and this page focuses on how to test Secure Boot for common hardware-enablement configurations, not for enabling Secure Boot to harden your system. If you want to use Secure Boot as a security mechanism, an appropriate solution would be to use your own keys (optionally enrolling additional keys, see above) and update the bootloader to prohibit booting an unsigned kernel. Future releases of Ubuntu may make this easier.

5. 更多 關於 Ubuntu 實作 Sercure Boot 資訊
5-1. /SecureBoot has information about using UEFI secure boot with Ubuntu
5-2. sbkeysync & maintaing uefi key databases to experiment with loading keys from within Ubuntu - shows how to set up and update the UEFI key databases.
5-3. sb-tools on launchpad - tools for secure boot signing, verification and key management # 如果網頁還沒建好 請稍待幾天

6. 補充
要建立自己的金鑰
除了 這篇網頁外
如有需要 請額外參考

6-1. Certificates
6-2. SSL Certificates HOWTO
6-3. OpenSSL Home Page
6-4. Owning your Windows 8 UEFI Platform