Package: mokutil Version: 0.6.0-2+b1 Severity: normal https://wiki.debian.org/SecureBoot
The Debian wiki page about SecureBoot has the following instructions: # mkdir -p /var/lib/shim-signed/mok/ # cd /var/lib/shim-signed/mok/ # openssl req -nodes -new -x509 -newkey rsa:2048 -keyout MOK.priv -outform DER -out MOK.der -days 36500 -subj "/CN=My Name/" # openssl x509 -inform der -in MOK.der -out MOK.pem $ sudo mokutil --import /var/lib/dkms/mok.pub # prompts for one-time password $ sudo mokutil --list-new # recheck your key will be prompted on next boot I think that this should be done on installation by this package. The mokutil command can't be used for it's actual things until this is done so there's not much point in having it installed without this being done. https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=989463 The above bug report has a lot of information on this. The below copied from the above bug report has information on what Ubuntu is doing. https://git.launchpad.net/~ubuntu-core-dev/shim/+git/shim-signed/tree/openssl.cnf https://git.launchpad.net/~ubuntu-core-dev/shim/+git/shim-signed/tree/update-secureboot-policy This ubuntu update-secureboot-policy has a --new-key flag to generate the MOK in /var/lib/shim-signed/mok/. https://git.launchpad.net/~ubuntu-core-dev/shim/+git/shim-signed/tree/debian/shim-signed.postinst calls update-secureboot-policy --new-key on configure. It also sign the dkms modules. -- System Information: Debian Release: trixie/sid Architecture: amd64 (x86_64) Kernel: Linux 6.10.12-amd64 (SMP w/4 CPU threads; PREEMPT) Locale: LANG=en_AU.UTF-8, LC_CTYPE=en_AU.UTF-8 (charmap=UTF-8), LANGUAGE=en_AU:en Shell: /bin/sh linked to /usr/bin/dash Init: unable to detect Versions of packages mokutil depends on: ii libc6 2.40-3 ii libcrypt1 1:4.4.36-5 ii libefivar1t64 38-3.1 ii libkeyutils1 1.6.3-3 ii libssl3t64 3.3.2-1 mokutil recommends no packages. mokutil suggests no packages. -- debconf-show failed
