User talk:Sakaki/Sakaki's EFI Install Guide/Configuring Secure Boot

The note about retaining the Microsoft keys could be amended such way that re-signing the Microsoft bootloader with the newly created keys is an alternative to retaining the Microsoft keys (KEK and db). I've tried this and it works very well for my system.

This might require a bit of "feeling lucky" during the testing stage after new keys have been installed in the system's UEFI, because if the keys do not work, even Windows will not boot any longer. Yet, instead of trusting every Microsoft-signed bootloader there is out there, re-signing only the bootloader for one's own system will keep the system's ability to dual-secure-boot Linux and Windows while locking out all other bootloaders, including Windows2Go and other Live-Systems without a locally signed loader.

EFI bootloaders are capable to carry more than one signature, thus, restoring the factory installed keys will keep Windows working while a locally signed Linux will be unable to boot anymore.

That being said I do not know what happens if a Windows update rewrites the Windows bootloader to the EFI partition. Chances are, Windows will no longer boot until the new loader has again been signed with local keys.