MOK Architecture. The keys added via mokutil via any Linux OS, will be stored in the MOK database. Since its a boot service variable, it will be stored in the BIOS NVRAM. On next boot the shim layer will prompt for enrolling the key. Once enrolled the key can be used to validate the respective async drivers (not part of OS distribution) by kernel to allow installing them during OS boot or run time.