Is there a limit on the number of MOKs we can write to firmware?

Question

IF YOU ARE NOT SURE, PLEASE DO GIVE YOUR THOUGHTS ON THIS

After installing Ubuntu, if we install a graphics driver for dedicated graphics card then we need to enroll a MOK to the firmware. As far as I understand, the key I enroll should go into the ROM. I generally keep installing and uninstalling Linux. When I remove the Linux partition, the MOK should still be there in the firmware according to me. And when I install Linux again then if I generate a new MOK, then it would also go into the firmware.

Can I OR should I do this multiple times without any issues. I feel, like this, there would be a lot of garbage MOKs in the firmware.

What should be done in such a case? Should the MOK be deleted before removing Linux? If yes, then how? If we don't remove the MOK before removing Linux, is there a way to remove it outside it?

I've seen this post : Is it possible to delete an enrolled key using mokutil without the original .der file? But I don't exactly get how it works.

I think I don't clearly understand where the key is stored.

I want to understand this MOK concept and know how to deal with it in case of a machine where I may be continuously removing and installing Linux and each time I'll install the graphics driver too.

Answer 1

AS per the documentation of MokVars in shim, which is the first-stage UEFI bootloader that's pretty much pervasive across the Linux ecosystem (RH, Deb. Arch and derivatives), information about the Machine Owner Key MOK is stored as UEFI variables (which is stored as somewhat-structured data on the non-volatile storage on the system board titled the NVRAM).

As can be seen in the MOKs are stored as a list of signatures (i.e. public keys/public certs) in the MOKList:

MokList: A list of authorized keys and hashes. An EFI_SIGNATURE_LIST as described in the UEFI specification. BS,NV

From the above, it's easy to extrapolate that the MOKs are stored as a list and multiples can be stored. However, as the NVRAM is limited, there's going to be a limit to the number of elements that can be stored in there, so going overboard on the number of MOKs may not be a great idea, as seen here

As long as you keep a securely stored copy of your MOK (similarly as any other private key of yours), the MOK does not need to be removed or revoked. As and when you need the MOK again, just restore if from the backed up copy, and carry on as required.