http://bugzilla.opensuse.org/show_bug.cgi?id=1191480 http://bugzilla.opensuse.org/show_bug.cgi?id=1191480#c17 Michal Suchanek <msuchanek@suse.com> changed: What |Removed |Added ---------------------------------------------------------------------------- URL| |https://github.com/openSUSE | |/suse-module-tools/pull/48/ | |commits/1bbbe4c04286ba917c9 | |f5dc5817927d017447d95 --- Comment #17 from Michal Suchanek <msuchanek@suse.com> --- Proposed fix https://github.com/openSUSE/suse-module-tools/pull/48/commits/1bbbe4c04286ba... (In reply to Joey Lee from comment #13)
(In reply to Michal Suchanek from comment #12)
The key should be enrolled automagically but the --ignore-keyring option is not used.
If it's now needed to successfully enroll the key it needs to be adde in the scripts.
I prefer to keep the logic for checking keyring (--ignore-keyring option can disable it) but not add it to scripts.
This mokutil function be added to prevent that the nvram space be wasted. When a shim and kernel be produced by the same project. The shim should be embedded a openSUSE CA that it can verify the kernel that be signed by openSUSE signkey. And, the kernel is emabedded a openSUSE signkey. So we don't need enroll openSUSE signkey to MOK. It can save limited nvraom space of firmware.
About this issue, user installed a kernel be signed by another project (Kernel OBS Project/emailAddress=Kernel@build.opensuse.org, in this case). So shim's embedded CA can not verify the non-openSUSE signed kernel. And, mokutil checks the signkey is in kernel keyring because it be embedded by kernel. So the key can not be auto-enrolled.
Then the check is wrong. The CA check should suffice to not enroll keys needlessly. On the other hand, kernel keys should be enrolled and they are expected to be in the kernel keyring so checking against the kernel keyring is pointless for kernel keys. -- You are receiving this mail because: You are on the CC list for the bug.