Is the ability to use Machine Owner Keys effectively a bypass of SecureBoot security?
SecureBoot uses a PKI path to verify particular signed bootloader binaries before it runs these binaries. This PKI, as far as I understand, is basically owned by Microsoft, meaning that only Microsoft can sign binaries that will run on SecureBoot-enforcing machines. However, as a workaround, some machines allow for the use of "Machine Owner Keys" (MOKs) that all for machine owners to be their own SecureBoot binary signers. You can even install these keys using the mokutil command on GNU/Linux systems.
My question is: doesn't this entirely defeat the point of SecureBoot? If some malware is trying to get you to run a malicious bootloader, why couldn't it just install its own MOK keys, then just perform a "secure boot" of the malware it just signed?
