Hi Joey, Is there a way we can have Secure Boot, kernel lockdown enabled, BUT still have the ability to generate our own key, compile and sign modules with that key, mokutil --import and enroll the key during reboot, and have the kernel load the modules signed with our key? If that is possible, then it sounds like that would resolve all the complaints from the users I have talked too. It would certainly work for my use case which involves compiling the vmware vmmon and vmnet kernel modules.
I didn't port KEYS-Make-use-of-platform-keyring-for-module- signatu.patch patch to Tumbleweed kernel. We need this patch >> to allow .platform (db and mok) keyring be used to verify kernel module. Otherwise we will need shim v15.5 and later. But now we only have MS-signed shim 15.4 for Tumbleweed.
If that patch had been ported, would that have provided what I asked in my first question? Thanks for your efforts with these issues! Joe