What | Removed | Added |
---|---|---|
Flags | needinfo?(jlee@suse.com) |
(In reply to Michal Suchanek from comment #12) > The key should be enrolled automagically but the --ignore-keyring option is > not used. > > If it's now needed to successfully enroll the key it needs to be adde in the > scripts. I prefer to keep the logic for checking keyring (--ignore-keyring option can disable it) but not add it to scripts. This mokutil function be added to prevent that the nvram space be wasted. When a shim and kernel be produced by the same project. The shim should be embedded a openSUSE CA that it can verify the kernel that be signed by openSUSE signkey. And, the kernel is emabedded a openSUSE signkey. So we don't need enroll openSUSE signkey to MOK. It can save limited nvraom space of firmware. About this issue, user installed a kernel be signed by another project (Kernel OBS Project/emailAddress=Kernel@build.opensuse.org, in this case). So shim's embedded CA can not verify the non-openSUSE signed kernel. And, mokutil checks the signkey is in kernel keyring because it be embedded by kernel. So the key can not be auto-enrolled.