Re: provide /var/lib/shim-signed/mok/MOK.(priv|pem|der)
On 11/17/21 11:01 AM, Tomas Pospisek wrote:
> Our instructions on Secure Boot [1] are a bit scatterbrained and do not
> specify precisely where the key should exist at.
I was the one who wrote them, after *A LOT* of research about it on the
internet. It was hard to find, really.
I just explained how to sign, with no intention to have this automated
(at the time), so no wonder there's no standard path...
> I would edit those instruction so that they create the key at the same
> location Ubuntu has its MOK keys. However I would prefer not to collide
> with some tools or automation or scripts that do the same at the same
> place.
Please go ahead, and explain that this is the Ubuntu path.
> I think it'd be preferable if Debian created (or however Ubuntu does it)
> it's key automatically at that same place as Ubuntu has them, which
> would make most of the instructions in the wiki [1] unnecessary and
> would make the user experience much easier and smoother since the
> (upstream) virtualbox package could install and sign it's modules by
> itself without any user interaction, just like it happens under Ubuntu (?).
>
> ?
Well, to begin with, I wonder why the upstream virtualbox package is
pushing its compiled modules at the wrong location, but yeah, sure!
Hopefully, we can have the automation to sign DKMS modules in a non-leaf
package. I would strongly suggest we get a package with a very explicit
name in it, like "dkms-automatic-mok-signing" so it would do the work. I
would absolutely *not* go the path of disabling secure boot when a DKMS
module gets installed...
That's only suggestion, and I'm not volunteering, so that's only my 2
cents of comments... :)
Cheers,
Thomas Goirand (zigo)
Reply to: