Bug#989463: provide /var/lib/shim-signed/mok/MOK.(priv|pem|der)

To: Thomas Goirand <zigo@debian.org>
Cc: 989463@bugs.debian.org, Leif Lindholm <unixsmurf@gmail.com>, Debian EFI Team <debian-efi@lists.debian.org>
Subject: Bug#989463: provide /var/lib/shim-signed/mok/MOK.(priv|pem|der)
From: Tomas Pospisek <tpo_deb@sourcepole.ch>
Date: Thu, 18 Nov 2021 07:15:20 +0100 (CET)
Message-id: <[🔎] d0a2732-4be4-fd48-addb-b7bf67ab3e14@sourcepole.ch>
Reply-to: Tomas Pospisek <tpo_deb@sourcepole.ch>, 989463@bugs.debian.org
In-reply-to: <[🔎] 9053170b-c1f1-96e1-b441-dab090553f91@debian.org>
References: <[🔎] e8b775f9-993d-b1af-e747-97b2f260dac6@sourcepole.ch> <[🔎] 9053170b-c1f1-96e1-b441-dab090553f91@debian.org> <CA+oGwQy3WKBrSV_ZgMmaf4hZ0619UWVZXvBTFo6tP86-PCWT4Q@mail.gmail.com>

On Thu, 18 Nov 2021, Thomas Goirand wrote:

On 11/17/21 11:01 AM, Tomas Pospisek wrote:

Our instructions on Secure Boot [1] are a bit scatterbrained and do not
specify precisely where the key should exist at.


I was the one who wrote them, after *A LOT* of research about it on the
internet. It was hard to find, really.

I just explained how to sign, with no intention to have this automated
(at the time), so no wonder there's no standard path...

I did not intend my characterisation of the instructions as a critiqueof your work. I am extremely happy that you actually *did* the work forall of us so we can stand on the shoulders of what you did. Very much +1and many thanks really!!!


(And thanks & cheers to the Debian EFI Team as well :-D !!!!)

I would edit those instruction so that they create the key at the same
location Ubuntu has its MOK keys. However I would prefer not to collide
with some tools or automation or scripts that do the same at the same
place.


Please go ahead, and explain that this is the Ubuntu path.


Done.

I think it'd be preferable if Debian created (or however Ubuntu does it)
it's key automatically at that same place as Ubuntu has them, which
would make most of the instructions in the wiki [1] unnecessary and
would make the user experience much easier and smoother since the
(upstream) virtualbox package could install and sign it's modules by
itself without any user interaction, just like it happens under Ubuntu (?).

?


Well, to begin with, I wonder why the upstream virtualbox package is
pushing its compiled modules at the wrong location, but yeah, sure!


I guess one can always talk to upstream...

Hopefully, we can have the automation to sign DKMS modules in a non-leaf
package. I would strongly suggest we get a package with a very explicit
name in it, like "dkms-automatic-mok-signing" so it would do the work. I
would absolutely *not* go the path of disabling secure boot when a DKMS
module gets installed...

Since I have not looked further I am *guessing* that Ubuntu doesthe automatic creation of the MOK key in the shim-signed package. So Ithink it should be possible to lift Ubuntu's work out of there and alsoput it into the shim-signed package, into postinst or so.

*t

Reply to:

Follow-Ups:
- Re: provide /var/lib/shim-signed/mok/MOK.(priv|pem|der)
  - From: Thomas Goirand <zigo@debian.org>

References:
- Bug#989463: provide /var/lib/shim-signed/mok/MOK.(priv|pem|der)
  - From: Tomas Pospisek <tpo@sourcepole.ch>
- Re: provide /var/lib/shim-signed/mok/MOK.(priv|pem|der)
  - From: Thomas Goirand <zigo@debian.org>

Prev by Date: Re: provide /var/lib/shim-signed/mok/MOK.(priv|pem|der)
Next by Date: Re: provide /var/lib/shim-signed/mok/MOK.(priv|pem|der)
Previous by thread: Re: provide /var/lib/shim-signed/mok/MOK.(priv|pem|der)
Next by thread: Re: provide /var/lib/shim-signed/mok/MOK.(priv|pem|der)
Index(es):
- Date
- Thread