Bug#989463: please align shim-signed dkms behaviour with Ubuntu
Currently, if dkms is installed, shim-signed prompts to disable
kernel/module verification on next boot on some trigger events - to
ensure the system will successfully boot (something, not necessarily
untampered with) after a kernel upgrade.
According to Vorlon, in Ubuntu:
"that's since been superseded by code to instead generate and enroll a
MOK key and sign all dkms modules with it."
This sounds like a very useful feature that would be worth bringing into Debian.