UEFI Secure Boot Tutorial
Intel's "Practical UEFI Secure Boot" video series is available on YouTube, addressing common questions about using this feature with Microsoft Windows 8 & Linux.
Information referenced by the videos is included below. Required Security Credentials Key Exchange Key (KEK):
There are two DB entries - one for Windows and one for the UEFI Certificate Authority (CA).
Windows DB: http://www.microsoft.com/pkiops/certs/MicWinProPCA2011_2011-10-19.crt
UEFI DB: http://www.microsoft.com/pkiops/certs/MicCorUEFCA2011_2011-06-27.crt
The UEFI DB entry allows binaries signed against the UEFI certificate authority to run when secure boot is enabled. This includes UEFI drivers, option ROMs and various Linux bootloaders. The Microsoft DB entries are specific to Microsoft Windows 8. The GUID associated with these certificates is 77fa9abd-0359-4d32-bd60-28f4e78f784b
Generating a PK using OpenSSL
openssl req -new -x509 -newkey rsa:2048 -keyout PK.key -out PK.crt
openssl x509 -in PK.crt -out PK.cer -outform DER
For more information on signing UEFI code for use with Secure Boot, refer to the "Signing UEFI Applications and Drivers for UEFI Secure Boot" document at tianocore.org.