Bug#989463: provide /var/lib/shim-signed/mok/MOK.(priv|pem|der)
On Thu, 18 Nov 2021 13:32:58 +0100 Thomas Goirand <zigo@debian.org>
wrote:
> On 11/18/21 7:15 AM, Tomas Pospisek wrote:
> > On Thu, 18 Nov 2021, Thomas Goirand wrote:
> >
> >> On 11/17/21 11:01 AM, Tomas Pospisek wrote:
(...)
> >> Hopefully, we can have the automation to sign DKMS modules in a
non-leaf
> >> package. I would strongly suggest we get a package with a very
explicit
> >> name in it, like "dkms-automatic-mok-signing" so it would do the
work. I
> >> would absolutely *not* go the path of disabling secure boot when a
DKMS
> >> module gets installed...
> >
> > Since I have not looked further I am *guessing* that Ubuntu does
the
> > automatic creation of the MOK key in the shim-signed package. So I
think
> > it should be possible to lift Ubuntu's work out of there and also
put it
> > into the shim-signed package, into postinst or so.
> >
> > *t
>
> As I understand, doing updates of shim-signed requires a signature
from
> Microsoft, so probably it's not the best place to do some change.
https://salsa.debian.org/efi-team/shim-signed/-/tree/master/
The efi binaries are signed but not the package itself. Modifying the
package postinst and its update-secureboot-policy script are fine.
>
> As for module automatic signatures, maybe this could go into the dkms
> package itself, with some kind of configuration? Again, just a
> suggestion... :)
>
https://git.launchpad.net/~ubuntu-core-dev/shim/+git/shim-signed/tree/openssl.cnf
https://git.launchpad.net/~ubuntu-core-dev/shim/+git/shim-signed/tree/update-secureboot-policy
This ubuntu update-secureboot-policy has a --new-key flag to generate
the MOK in /var/lib/shim-signed/mok/.
https://git.launchpad.net/~ubuntu-core-dev/shim/+git/shim-signed/tree/debian/shim-signed.postinst
calls update-secureboot-policy --new-key on configure. It also sign the
dkms modules.
Cheers,
Alban
Reply to: