Joey Lee changed bug 1191480
What Removed Added
Flags needinfo?(jlee@suse.com)  

Comment # 13 on bug 1191480 from 
(In reply to Michal Suchanek from comment #12)
> The key should be enrolled automagically but the --ignore-keyring option is
> not used.
> 
> If it's now needed to successfully enroll the key it needs to be adde in the
> scripts.

I prefer to keep the logic for checking keyring (--ignore-keyring option can
disable it) but not add it to scripts. 

This mokutil function be added to prevent that the nvram space be wasted. When
a shim and kernel be produced by the same project. The shim should be embedded
a openSUSE CA that it can verify the kernel that be signed by openSUSE signkey.
And, the kernel is emabedded a openSUSE signkey. So we don't need enroll
openSUSE signkey to MOK. It can save limited nvraom space of firmware.

About this issue, user installed a kernel be signed by another project (Kernel
OBS Project/emailAddress=Kernel@build.opensuse.org, in this case). So shim's
embedded CA can not verify the non-openSUSE signed kernel. And, mokutil checks
the signkey is in kernel keyring because it be embedded by kernel. So the key
can not be auto-enrolled.

You are receiving this mail because: