(Thomas I hope you don't mind I put you in the Cc) Leif Lindholm wrote:
Currently, if dkms is installed, shim-signed prompts to disable kernel/module verification on next boot on some trigger events - to ensure the system will successfully boot (something, not necessarily untampered with) after a kernel upgrade. According to Vorlon, in Ubuntu: "that's since been superseded by code to instead generate and enroll a MOK key and sign all dkms modules with it."This sounds like a very useful feature that would be worth bringing into Debian.
I'd like to expand on this. When I install upstream (Oracle's) virtualbox-6.1 then the package tries to compile and sign the required virtualbox modules and fails due to not being able to sign them.
As far as I understand the code, the upstream virtualbox-6.1 package expects the MOK keys to be at:
# grep "^DEB_.*KEY=" /usr/lib/virtualbox/vboxdrv.sh
DEB_PUB_KEY=/var/lib/shim-signed/mok/MOK.der
DEB_PRIV_KEY=/var/lib/shim-signed/mok/MOK.priv
On a Ubuntu box (I checked on a focal) the keys are there:
-rw------- 1 root root 1704 Jul 13 2018 /var/lib/shim-signed/mok/MOK.priv
I do not know how they happen to appear there. I tried to find out, but
failed due to not having direct access to that focal box.
Our instructions on Secure Boot [1] are a bit scatterbrained and do not specify precisely where the key should exist at.
I would edit those instruction so that they create the key at the same location Ubuntu has its MOK keys. However I would prefer not to collide with some tools or automation or scripts that do the same at the same place.
I think it'd be preferable if Debian created (or however Ubuntu does it) it's key automatically at that same place as Ubuntu has them, which would make most of the instructions in the wiki [1] unnecessary and would make the user experience much easier and smoother since the (upstream) virtualbox package could install and sign it's modules by itself without any user interaction, just like it happens under Ubuntu (?).
? *t [1] https://wiki.debian.org/SecureBoot