On Thu, 18 Nov 2021 13:32:58 +0100 Thomas Goirand <z...@debian.org> wrote: > On 11/18/21 7:15 AM, Tomas Pospisek wrote: > > On Thu, 18 Nov 2021, Thomas Goirand wrote: > > > >> On 11/17/21 11:01 AM, Tomas Pospisek wrote: (...) > >> Hopefully, we can have the automation to sign DKMS modules in a non-leaf > >> package. I would strongly suggest we get a package with a very explicit > >> name in it, like "dkms-automatic-mok-signing" so it would do the work. I > >> would absolutely *not* go the path of disabling secure boot when a DKMS > >> module gets installed... > > > > Since I have not looked further I am *guessing* that Ubuntu does the > > automatic creation of the MOK key in the shim-signed package. So I think > > it should be possible to lift Ubuntu's work out of there and also put it > > into the shim-signed package, into postinst or so. > > > > *t > > As I understand, doing updates of shim-signed requires a signature from > Microsoft, so probably it's not the best place to do some change.
https://salsa.debian.org/efi-team/shim-signed/-/tree/master/ The efi binaries are signed but not the package itself. Modifying the package postinst and its update-secureboot-policy script are fine. > > As for module automatic signatures, maybe this could go into the dkms > package itself, with some kind of configuration? Again, just a > suggestion... :) > https://git.launchpad.net/~ubuntu-core-dev/shim/+git/shim-signed/tree/openssl.cnf https://git.launchpad.net/~ubuntu-core-dev/shim/+git/shim-signed/tree/update-secureboot-policy This ubuntu update-secureboot-policy has a --new-key flag to generate the MOK in /var/lib/shim-signed/mok/. https://git.launchpad.net/~ubuntu-core-dev/shim/+git/shim-signed/tree/debian/shim-signed.postinst calls update-secureboot-policy --new-key on configure. It also sign the dkms modules. Cheers, Alban