On 11/17/21 11:01 AM, Tomas Pospisek wrote: > Our instructions on Secure Boot [1] are a bit scatterbrained and do not > specify precisely where the key should exist at.
I was the one who wrote them, after *A LOT* of research about it on the internet. It was hard to find, really. I just explained how to sign, with no intention to have this automated (at the time), so no wonder there's no standard path... > I would edit those instruction so that they create the key at the same > location Ubuntu has its MOK keys. However I would prefer not to collide > with some tools or automation or scripts that do the same at the same > place. Please go ahead, and explain that this is the Ubuntu path. > I think it'd be preferable if Debian created (or however Ubuntu does it) > it's key automatically at that same place as Ubuntu has them, which > would make most of the instructions in the wiki [1] unnecessary and > would make the user experience much easier and smoother since the > (upstream) virtualbox package could install and sign it's modules by > itself without any user interaction, just like it happens under Ubuntu (?). > > ? Well, to begin with, I wonder why the upstream virtualbox package is pushing its compiled modules at the wrong location, but yeah, sure! Hopefully, we can have the automation to sign DKMS modules in a non-leaf package. I would strongly suggest we get a package with a very explicit name in it, like "dkms-automatic-mok-signing" so it would do the work. I would absolutely *not* go the path of disabling secure boot when a DKMS module gets installed... That's only suggestion, and I'm not volunteering, so that's only my 2 cents of comments... :) Cheers, Thomas Goirand (zigo)