Bug#990311: Secure boot does not work correctly with nvidia-driver after upgrade to Debian 10.10

[Gareth McKevitt <gmck@gmx.de>]

Dear Maintainer,

I can confirm this issue - after upgrade on 21.06.2021, Secure Boot no longer works. Signing the third party kernel modules reports no problems, but the signed modules are not loaded on boot. Issue appears to be that the MOK isnot available during and/or after boot.

host:/# mokutil --list-enrolled

MokListRT is empty

    Using mokutil to reinstall the MOK works in that the correct user
    key is visible in the EFI utility during the next restart, but after
    boot the output of mokutil --list-enrolled is unchanged (MokListRT
    is empty).  Booting an older kernel (which was working without
    problem prior to the upgrade) does not change the behaviour on boot.
    This indicates to me that the problem is not related to module
    signing.

Downgrading shim by downloading the relevant packages from snapshot.debian.org and rolling back results in a system where the MOK is correctly listed by mokutil --list-enrolled:

host:/# apt-get install shim-signed=1.33+15+1533136590.3beb971-7 shim-signed-common=1.33+15+1533136590.3beb971-7 shim-unsigned=15+1533136590.3beb971-7+deb10u1 shim-helpers-amd64-signed=1+15+1533136590.3beb971+7+deb10u1

After this downgrade, the nvidia driver modules were loaded on next boot. The virtualbox modules could only be loaded after re-signing with the MOK. Once this has been done, the system boots normally on subsequent restarts.  Following the same procedure and updating from version 1.33 to version 1.34 showed the same behaviour as for 1.36 - mokutil --list-enrolled reported an empty list.

Best regards,

Gareth