diff --git a/README b/README
new file mode 100644
index 0000000..47011c0
--- /dev/null
+++ b/README
@@ -0,0 +1,56 @@
+  The keys under this directory are the public keys used in
+the verification process of secure boot process for StarlingX
+debian.
+
+Keys Introduction:
+  tis-boot.crt: it is the public key flashed into BIOS to verify
+    bootx64.efi (signed shim image shimx64.efi) and mmx64.efi
+    (signed shim tool image);
+  tis-shim.der: it is the public key used by shim to verify
+    grubx64.efi (signed grub image);
+  boot_pub_key: it is the public key used by grub to verify signed
+    kernel image and initramfs image and efitools image and so on.
+  TiBoot.crt: it is the same pub key with tis-boot.crt (pem) as a
+    der format. It is installed as /CERTS/TiBoot.crt in the efi.img
+    which is in the iso image.
+
+The following ways can be used to create substitute keys:
+(1)example to create tis-boot.crt/TiBoot.crt
+openssl req -new -x509 -newkey rsa:2048 -keyout BOOT.priv -outform DER -out BOOT.der -days 36500 -subj "/CN=My Boot/" -nodes
+openssl x509 -inform der -in BOOT.der -out BOOT.pem
+cp BOOT.pem tis-boot.crt
+cp BOOT.priv tis-boot.key
+cp BOOT.der TiBoot.crt
+The tis-boot.crt and tis-boot.key are used to sign images mentioned above.
+
+The tis-shim.crt/tis-shim.der/tis-shim.key can be created in the same way.
+
+(2)example to create boot_pub_key
+************
+#!/bin/bash
+key_dir="./"
+priv_key="${key_dir}/BOOT-GPG-PRIVKEY-SecureBootCore"
+pub_key="${key_dir}/BOOT-GPG-KEY-SecureBootCore"
+name_real="SecureBootCore"
+pw="PASSWORD"
+USE_PW="Passphrase: PASSWORD"
+
+cat >"${key_dir}/gen_keyring" <<EOF
+Key-Type: RSA
+Key-Length: 4096
+Name-Real: ${name_real}
+Name-Comment: EXAMPLE
+Name-Email: a@b.com
+Expire-Date: 0
+${USE_PW}
+%commit
+%echo keyring ${name_real} created
+EOF
+
+gpg --homedir "${key_dir}" --batch --yes --gen-key "${key_dir}/gen_keyring"
+gpg --homedir "${key_dir}" -k
+gpg --homedir "${key_dir}" --export --armor "${name_real}" > "${pub_key}"
+gpg --homedir "${key_dir}" --export-secret-keys --pinentry-mode=loopback --passphrase "${pw}" --armor "${name_real}" > "${priv_key}"
+gpg --homedir "${key_dir}" --export "${name_real}" > ${key_dir}/boot_pub_key
+************
+The BOOT-GPG-PRIVKEY-SecureBootCore is used to sign images mentioned above.
diff --git a/TiBoot.crt b/TiBoot.crt
new file mode 100644
index 0000000..2b30d2d
Binary files /dev/null and b/TiBoot.crt differ
diff --git a/boot_pub_key b/boot_pub_key
new file mode 100644
index 0000000..f9e50a6
Binary files /dev/null and b/boot_pub_key differ
diff --git a/tis-boot.crt b/tis-boot.crt
new file mode 100644
index 0000000..2bb80ca
--- /dev/null
+++ b/tis-boot.crt
@@ -0,0 +1,20 @@
+-----BEGIN CERTIFICATE-----
+MIIDOjCCAiICCQCndPpvXmatAzANBgkqhkiG9w0BAQUFADBfMQswCQYDVQQGEwJD
+QTEQMA4GA1UECAwHT250YXJpbzEPMA0GA1UEBwwGT3R0YXdhMR8wHQYDVQQKDBZX
+aW5kIFJpdmVyIFN5c3RlbXMgSW5jMQwwCgYDVQQDDANUaVMwHhcNMTYxMjAxMTc1
+OTMwWhcNMjYxMTI5MTc1OTMwWjBfMQswCQYDVQQGEwJDQTEQMA4GA1UECAwHT250
+YXJpbzEPMA0GA1UEBwwGT3R0YXdhMR8wHQYDVQQKDBZXaW5kIFJpdmVyIFN5c3Rl
+bXMgSW5jMQwwCgYDVQQDDANUaVMwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEK
+AoIBAQDGBF2js8+W952j9b9bPQKme51pepk9zV56dHWlYHwHT6OxRwnIUaa6z4Hb
+qGBBfKc6VqYY5K/PmDb41TXgIwmjDgxn8Nz4Vr8odKz8IsPUl5PzRN1LFKx7S+Bl
+s7LiOw8ZEGYT68VdYp+hwGhas7r2/jFd8K7od/fcmQkPUQyqeZAA+F9gcQNuXlh8
+wFID0d3ek4jmiCj4AcOHCiFeg/gz21dKHdpl0/WQ3NiDASghuvE22lZGz6SrQGFX
+xhC3UFkDQ83MlT1vS4ESfNS7o8Cq5Itnhe8MgI6nfPQrp3pgRNSGu8YU9HSCX5SD
+d/rwaOpVzQtsmI1hj7BouTuwVrhNAgMBAAEwDQYJKoZIhvcNAQEFBQADggEBAAkZ
+Mwub8wHuY7hfpw+q3YjksYQvWVErgH3I5Bs6GQpGhat1t1XnFrD17vrif9ri7sbd
+beaISeyk5YCdTJCejXEbpL6GBppaSghtP9wAKtKLzlAz6Ta1GhSzKSVXdHl/JUVG
+7n7gwiP3Sik2ZRVEdKZiODrVb7c8ga1SaiT/dexyKf+Qt3LmMe6QRKGXgsQVSgoI
+0O1WTzpAJRZa1Z6lMOlzpho7rYdAlSIA0tydxx8rOykIPHRItnW/p79WsoQp646F
+cS1ZaZ5XXRtgaO6AAZ+BKJGnie/xl1sNYah7quASYGwADzUpnN4QeiS92YN26eis
+a16FUsgrac0uAQa55IQ=
+-----END CERTIFICATE-----
diff --git a/tis-shim.der b/tis-shim.der
new file mode 100644
index 0000000..b29ee11
Binary files /dev/null and b/tis-shim.der differ