Bug#1084097: mokutil: should create and import key when package is installed
Package: mokutil
Version: 0.6.0-2+b1
Severity: normal
https://wiki.debian.org/SecureBoot
The Debian wiki page about SecureBoot has the following instructions:
# mkdir -p /var/lib/shim-signed/mok/
# cd /var/lib/shim-signed/mok/
# openssl req -nodes -new -x509 -newkey rsa:2048 -keyout MOK.priv -outform DER -out MOK.der -days 36500 -subj "/CN=My Name/"
# openssl x509 -inform der -in MOK.der -out MOK.pem
$ sudo mokutil --import /var/lib/dkms/mok.pub # prompts for one-time password
$ sudo mokutil --list-new # recheck your key will be prompted on next boot
I think that this should be done on installation by this package. The
mokutil command can't be used for it's actual things until this is done
so there's not much point in having it installed without this being done.
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=989463
The above bug report has a lot of information on this.
The below copied from the above bug report has information on what Ubuntu is doing.
https://git.launchpad.net/~ubuntu-core-dev/shim/+git/shim-signed/tree/openssl.cnf
https://git.launchpad.net/~ubuntu-core-dev/shim/+git/shim-signed/tree/update-secureboot-policy
This ubuntu update-secureboot-policy has a --new-key flag to generate
the MOK in /var/lib/shim-signed/mok/.
https://git.launchpad.net/~ubuntu-core-dev/shim/+git/shim-signed/tree/debian/shim-signed.postinst
calls update-secureboot-policy --new-key on configure. It also sign the
dkms modules.
-- System Information:
Debian Release: trixie/sid
Architecture: amd64 (x86_64)
Kernel: Linux 6.10.12-amd64 (SMP w/4 CPU threads; PREEMPT)
Locale: LANG=en_AU.UTF-8, LC_CTYPE=en_AU.UTF-8 (charmap=UTF-8), LANGUAGE=en_AU:en
Shell: /bin/sh linked to /usr/bin/dash
Init: unable to detect
Versions of packages mokutil depends on:
ii libc6 2.40-3
ii libcrypt1 1:4.4.36-5
ii libefivar1t64 38-3.1
ii libkeyutils1 1.6.3-3
ii libssl3t64 3.3.2-1
mokutil recommends no packages.
mokutil suggests no packages.
-- debconf-show failed
Reply to: