Re: provide /var/lib/shim-signed/mok/MOK.(priv|pem|der)
On 11/18/21 7:15 AM, Tomas Pospisek wrote:
> On Thu, 18 Nov 2021, Thomas Goirand wrote:
>
>> On 11/17/21 11:01 AM, Tomas Pospisek wrote:
>>> Our instructions on Secure Boot [1] are a bit scatterbrained and do not
>>> specify precisely where the key should exist at.
>>
>> I was the one who wrote them, after *A LOT* of research about it on the
>> internet. It was hard to find, really.
>>
>> I just explained how to sign, with no intention to have this automated
>> (at the time), so no wonder there's no standard path...
>
> I did not intend my characterisation of the instructions as a critique
> of your work.
No worries, I didn't take it this way! :)
>> Hopefully, we can have the automation to sign DKMS modules in a non-leaf
>> package. I would strongly suggest we get a package with a very explicit
>> name in it, like "dkms-automatic-mok-signing" so it would do the work. I
>> would absolutely *not* go the path of disabling secure boot when a DKMS
>> module gets installed...
>
> Since I have not looked further I am *guessing* that Ubuntu does the
> automatic creation of the MOK key in the shim-signed package. So I think
> it should be possible to lift Ubuntu's work out of there and also put it
> into the shim-signed package, into postinst or so.
>
> *t
As I understand, doing updates of shim-signed requires a signature from
Microsoft, so probably it's not the best place to do some change.
As for module automatic signatures, maybe this could go into the dkms
package itself, with some kind of configuration? Again, just a
suggestion... :)
Cheers,
Thomas Goirand (zigo)
Reply to: