diff --git a/.vscode/settings.json b/.vscode/settings.json
index 82f3d1d48..1f82dc6dd 100644
--- a/.vscode/settings.json
+++ b/.vscode/settings.json
@@ -1,5 +1,6 @@
 {
     "files.associations": {
-        "*.service": "ini"
+        "*.service": "ini",
+        "*.cnf": "ini"
     }
 }
diff --git a/scripts/PopOS/secure-boot/install.sh.sh b/scripts/PopOS/secure-boot/install.sh.sh
index 33750955c..67d2cf47d 100755
--- a/scripts/PopOS/secure-boot/install.sh.sh
+++ b/scripts/PopOS/secure-boot/install.sh.sh
@@ -1,8 +1,11 @@
 #!/bin/bash
+scriptRoot=$(realpath "${BASH_SOURCE%/*}")
+
 # Elevate script
 if [ ! "$UID" -eq 0 ]
 then
     sudo bash "$BASH_SOURCE"
+    bash "$scriptRoot/sign-modules.sh"
 else
     # Create context directory
     workingDirectory="$(pwd)"
@@ -30,6 +33,7 @@ else
     systemdFile=$systemdFullName/systemd-bootx64.efi
 
     # Set up files
+    cp $systemdFile $defaultBootDir/BOOTx64.efi
     mv $defaultBootDir/BOOTx64.efi $defaultBootDir/grubx64.efi
     cp "$src/shimx64.efi" $defaultBootDir/BOOTx64.efi
     cp "$src/mmx64.efi" $defaultBootDir
@@ -50,6 +54,19 @@ else
     # Install surface MOK
     apt install -y linux-surface-secureboot-mok
 
+    # Install MOK Key
+    keyDir="/var/lib/shim-signed/mok"
+    mkdir -p "$keyDir"
+    cp "$scriptRoot/openssl.cnf" "$keyDir/openssl.cnf"
+
+    openssl req -config "$keyDir/openssl.cnf" \
+        -new -x509 -newkey rsa:2048 \
+        -nodes -days 36500 -outform DER \
+        -keyout "$keyDir/MOK.priv" \
+        -out "$keyDir/MOK.der"
+
+    mokutil --import "$keyDir/MOK.der"
+
     # Remove context directory
     cd $workingDirectory
     rm -rf $contextRoot
diff --git a/scripts/PopOS/secure-boot/openssl.cnf b/scripts/PopOS/secure-boot/openssl.cnf
new file mode 100644
index 000000000..7cce47169
--- /dev/null
+++ b/scripts/PopOS/secure-boot/openssl.cnf
@@ -0,0 +1,24 @@
+# This definition stops the following lines choking if HOME isn't
+# defined.
+HOME                    = .
+RANDFILE                = $ENV::HOME/.rnd
+[ req ]
+distinguished_name      = req_distinguished_name
+x509_extensions         = v3
+string_mask             = utf8only
+prompt                  = no
+
+[ req_distinguished_name ]
+countryName             = CH
+stateOrProvinceName     = Zurich
+localityName            = Winterthur
+0.organizationName      = lordgizmo
+commonName              = Secure Boot Signing
+emailAddress            = m@nuth.ch
+
+[ v3 ]
+subjectKeyIdentifier    = hash
+authorityKeyIdentifier  = keyid:always,issuer
+basicConstraints        = critical,CA:FALSE
+extendedKeyUsage        = codeSigning,1.3.6.1.4.1.311.10.3.6,1.3.6.1.4.1.2312.16.1.2
+nsComment               = "Secure Boot Signing"
diff --git a/scripts/PopOS/secure-boot/sign-modules.sh b/scripts/PopOS/secure-boot/sign-modules.sh
new file mode 100755
index 000000000..003db2945
--- /dev/null
+++ b/scripts/PopOS/secure-boot/sign-modules.sh
@@ -0,0 +1,15 @@
+#!/bin/bash
+# Elevate script
+if [ ! "$UID" -eq 0 ]
+then
+    sudo bash "$BASH_SOURCE"
+else
+    keyDir="/var/lib/shim-signed/mok"
+    keyFile="$keyDir/MOK.priv"
+    pubFile="$keyDir/MOK.der"
+
+    for file in $(find /lib/modules /var/lib/dkms -name *.ko);
+    do
+        kmodsign sha512 $keyFile $pubFile $file
+    done
+fi