On Sun, Oct 06, 2024 at 03:47:55PM +0100, Steve McIntyre wrote: >Control: tag -1 wontfix >Control: severity -1 wishlist > >On Sat, Oct 05, 2024 at 03:42:58PM +1000, Russell Coker wrote: >>Package: mokutil >>Version: 0.6.0-2+b1 >>Severity: normal >> >>https://wiki.debian.org/SecureBoot >> >>The Debian wiki page about SecureBoot has the following instructions: >> >># mkdir -p /var/lib/shim-signed/mok/ >># cd /var/lib/shim-signed/mok/ >># openssl req -nodes -new -x509 -newkey rsa:2048 -keyout MOK.priv -outform >>DER -out MOK.der -days 36500 -subj "/CN=My Name/" >># openssl x509 -inform der -in MOK.der -out MOK.pem >> >>$ sudo mokutil --import /var/lib/dkms/mok.pub # prompts for one-time password >>$ sudo mokutil --list-new # recheck your key will be prompted on next boot >> >>I think that this should be done on installation by this package. The >>mokutil command can't be used for it's actual things until this is done >>so there's not much point in having it installed without this being done. > >No, not at all. Mokutil is also very useful for diagnostics on a SB >system, e.g.: > >lump:~$ mokutil --db | head -10 >[key 1] >SHA1 Fingerprint: 46:de:f6:3b:5c:e6:1c:f8:ba:0d:e2:e6:63:9c:10:19:d0:ed:14:f3 >Certificate: > Data: > Version: 3 (0x2) > Serial Number: > 61:08:d3:c4:00:00:00:00:00:04 > Signature Algorithm: sha256WithRSAEncryption > Issuer: C=US, ST=Washington, L=Redmond, O=Microsoft Corporation, > CN=Microsoft Corporation Third Party Marketplace Root > Validity > >lump:~$ mokutil --sb-state >SecureBoot disabled > >Not everybody is using the package to enrol keys...
I just realised how grumpy that might sound... :-) A patch to add a script to do the key generation for users, and (maybe?) a debconf question to ask them if they'd like it to be run would be nice, though! -- Steve McIntyre, Cambridge, UK. st...@einval.com We don't need no education. We don't need no thought control.
