Bug#930759: mokutil(1) refers to non-existent "--enroll-validation"
On Fri, 2021-07-02 at 21:02 +0200, Julian Andres Klode wrote:
> On Thu, Apr 08, 2021 at 02:20:36PM -0700, Adam Williamson wrote:
> > Well, upstream has fixed s/enroll/enable/ . But it has not added any
> > useful explanation of what this does, nor why it prompts for a password
>
> It enables validation in shim, as the manual page says - it's the
> opposite of disable-validation.
>
> > and what that password does.
>
> It's hardly mokutil's job to explain mokmanager's inner workings,
> but as I'm surely aware you know, any action needs to be confirmed
> at boot by a password - or specific characters thereof (sigh).
I didn't actually know that, no. I was completely confused until
someone explained this to me on IRC.
>
> It's a very specific tool to control MokManager that's not really
> suitable for end users, but for distro developers building integration
> so I think both things are kind of non-issues.
However, it is actually necessary for end users in at least one
specific case: developer edition Dell laptops (which are quite popular
among Linux users). These ship with Secure Boot enabled at the firmware
level, but disabled at the MOK level. Running this command is exactly
what you have to do to actually enable Secure Boot properly on those
laptops.
See
https://bodhi.fedoraproject.org/updates/FEDORA-2021-cab258a413#comment-1978725
for me being completely confused about that command.
--
Adam Williamson
Fedora QA
IRC: adamw | Twitter: adamw_ha
https://www.happyassassin.net
Reply to: