+<li><b>Your boot loaders and kernels</b>—Your OS boot loaders, and perhaps your Linux kernels, must be signed. They can be signed with any of the three key types. Indeed, your system may have a mix of all three types—a Windows 8 boot loader will most likely be signed with Microsoft's Secure Boot key, GRUB and kernels provided by most distributions will be signed with their own Shim keys, and if you use your own locally-compiled kernel or a boot loader from an unusual source you may need to sign it with a MOK. Aside from signing, these files can be installed in exactly the same way as if your computer were not using Secure Boot.</li>
+
+</ul>
+
+<p>If you've installed a distribution that provides Shim and can boot it with Secure Boot active, and if you then install rEFInd using the RPM file that I provide or by running <tt>refind-install</tt>, chances are you'll end up with a working rEFInd that will start up the first time, with one caveat: You'll have to use MokManager to add rEFInd's MOK to your MOK list, as described shortly. If you don't already have a working copy of Shim on your ESP, your task is more complex. Broadly speaking, the procedure should be something like this:</p>
+
+<ol>
+
+<li>Boot the computer. This can be a challenge in and of itself. You may
+ need to use a Secure Boot–enabled Linux emergency disc,
+ temporarily disable Secure Boot, or do the work from Windows.</li>
+
+<li><a href="getting.html">Download rEFInd</a> in binary form (the binary
+ zip or CD-R image file). If you download the binary zip file, unzip it;
+ if you get the CD-R image file, burn it to a CD-R and mount it.</li>
+
+<li>Download Shim from <a
+ href="http://www.codon.org.uk/~mjg59/shim-signed/">Matthew J. Garrett's
+ download site</a> or from your distribution. (Don't use an early 0.1
+ version, though; as noted earlier, it's inadequate for use with
+ rEFInd.)</li>
+
+<p class="sidebar"><b>Tip:</b> If you're running Linux, you can save some effort by using the <tt>refind-install</tt> script with its <tt>--shim <tt class="variable">/path/to/shim.efi</tt></tt> option rather than installing manually, as in steps 4–6 of this procedure. If you've installed <tt>openssl</tt> and <tt>sbsign</tt>, using <tt>--localkeys</tt> will generate local signing keys and re-sign the rEFInd binaries with your own key, too. You can then use <tt>sbsign</tt> and the keys in <tt>/etc/refind.d/keys</tt> to sign your kernels or boot loaders.</p>
+
+<li>Copy the <tt>shim.efi</tt> and <tt>MokManager.efi</tt> binaries to the
+ directory you intend to use for rEFInd—for instance,
+ <tt>EFI/refind</tt> on the ESP.</li>
+
+<li>Follow the installation instructions for rEFInd on the <a
+ href="installing.html">Installing rEFInd</a> page; however, you should
+ normally give rEFInd the filename <tt>grubx64.efi</tt> and register
+ <tt>shim.efi</tt> with the EFI by using <tt>efibootmgr</tt> in Linux or
+ <tt>bcdedit</tt> in Windows. Be sure that rEFInd (as
+ <tt>grubx64.efi</tt>), <tt>shim.efi</tt>, and <tt>MokManager.efi</tt>
+ all reside in the same directory. If you're using Shim 0.7 or later and
+ installing it under Linux, you may optionally keep rEFInd's
+ <tt>refind_x64.efi</tt> name; but you must then tell Shim to use rEFInd
+ by passing an additional <tt>-u "shim.efi refind_x64.efi"</tt> option
+ to <tt>efibootmgr</tt>. Change the filenames to the actual filenames
+ used by Shim and rEFInd, respectively.</li>
+
+<li>Copy the <tt>refind.cer</tt> file from the rEFInd package to your ESP,
+ ideally to a location with few other files. (The rEFInd installation
+ directory should work fine.)</li>
+
+<li>Reboot. With any luck, you'll see a simple text-mode user interface
+ with a label of <tt>Shim UEFI key management</tt>. This is the
+ MokManager program, which Shim launched when rEFInd failed verification
+ because its key is not yet enrolled.</li>
+
+<li>Press your down arrow key and press Enter to select <tt>Enroll key from
+ disk</tt>. The screen will clear and prompt you to select a key, as
+ shown here:
+
+ <br /><img src="MokManager1.png" align="CENTER" width="676"
+ height="186" alt="MokManager's user interface is crude but effective."
+ border=2> <br />
+
+ This user interface was used in early versions of MokManager, but
+ somewhere between versions 0.4 and 0.7, the user interface received an
+ upgrade. If you've got a more recent version, it will look more like
+ this:
+
+ <br /><img src="MokManager2.png" align="CENTER" width="800"
+ height="345" alt="Recent versions of MokManager provide a somewhat more
+ user-friendly user interface." border=2> <br /> </li>
+
+<li>Each of the lines with a long awkward string represents a disk
+ partition. Select one and you'll see a list of files. Continue
+ selecting subdirectories until you find the <tt>refind.cer</tt> file
+ you copied to the ESP earlier. (Note that in the early user interface
+ the long lines can wrap and hide valid entries on the next line, so you
+ may need to select a disk whose entry is masked by another one!)</li>
+
+<li>Select <tt>refind.cer</tt>. You can type <tt class="userinput">1</tt>
+ to view the certificate's details if you like, or skip that and type
+ <tt class="userinput">0</tt> to enroll the key.</li>
+
+<li>Back out of any directories you entered and return to the MokManager
+ main menu.</li>