Bug#1108278: shim-signed: Asks to disable EFI Secure Boot with enrolled DKMS key

To: Jesse Rhodes <jesse@sney.ca>, 1108278@bugs.debian.org
Subject: Bug#1108278: shim-signed: Asks to disable EFI Secure Boot with enrolled DKMS key
From: Steve McIntyre <steve@einval.com>
Date: Tue, 29 Jul 2025 18:04:31 +0100
Message-id: <[🔎] 20250729170431.GA3074535@tack.einval.com>
Reply-to: Steve McIntyre <steve@einval.com>, 1108278@bugs.debian.org
In-reply-to: <[🔎] f6852676-858e-46d7-be35-4118e8b60f85@sney.ca>
References: <aFraphsgJGcoLmsZ@thunder.hadrons.org> <[🔎] f6852676-858e-46d7-be35-4118e8b60f85@sney.ca> <aFraphsgJGcoLmsZ@thunder.hadrons.org>

On Mon, Jul 07, 2025 at 05:52:45PM -0400, Jesse Rhodes wrote:
>If update-secureboot-policy can query mokutil to check if secure boot is
>enabled, then it can also query mokutil to check if the key from
>/var/lib/dkms/mok.pub is enrolled. This popup should never appear on a system
>with secure boot configured correctly with dkms.

Nod, that's exactly the logic needed. Just testing code to do that now.

-- 
Steve McIntyre, Cambridge, UK.                                steve@einval.com
  Armed with "Valor": "Centurion" represents quality of Discipline,
  Honor, Integrity and Loyalty. Now you don't have to be a Caesar to
  concord the digital world while feeling safe and proud.

Reply to:

References:
- Bug#1108278: shim-signed: Asks to disable EFI Secure Boot with enrolled DKMS key
  - From: Jesse Rhodes <jesse@sney.ca>

Prev by Date: Bug#1110022: fwupd: please drop the build-dependency on old python3-toml
Next by Date: Bug#1108278: shim-signed: Asks to disable EFI Secure Boot with enrolled DKMS key
Previous by thread: Bug#1108278: shim-signed: Asks to disable EFI Secure Boot with enrolled DKMS key
Next by thread: Bug#1108278: shim-signed: Asks to disable EFI Secure Boot with enrolled DKMS key
Index(es):
- Date
- Thread