https://bugzilla.suse.com/show_bug.cgi?id=1190261 https://bugzilla.suse.com/show_bug.cgi?id=1190261#c9 Joey Lee <jlee@suse.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Flags|needinfo?(jlee@suse.com) | --- Comment #9 from Joey Lee <jlee@suse.com> --- Hi Martin, Actually, I still doesn't know the background after reading this bug. But... (In reply to Martin Wilck from comment #2)
Joey, is it possible to use mok-manager to import certificates in DB if secureboot is disabled?
No, mok-manager can only be used to enroll certificate to MOK varaible. UEFI DB is a authenticated variable. MokManager can not write it. Unless user enable setup mode and run a EFI tool to enroll key to db. But normally machine will not in setup mode. Why you want to use MokManager to enroll DB?
If it isn't, we could skip the mokutil step in that case.
Or would it make sense to enroll the certs anyway, just in case SB is enabled at a later time?
MokManager still works for enrolling MOK when secure boot is disabled. It's _NOT_ secure, but works. Enrolling kernel signkey is useful when the CA of the kernel signkey is different with the CA in shim. Shim can use MOK to verify kernel binary. On the other hand, there is a way to detect whether system boot from shim. Just check the existence of this file: /sys/firmware/efi/efivars/MokListRT-605dab50-e046-4300-abb6-3dd810dd8b23 This file is created by shim when booting. If system doesn't boot from shim (e.g. direct boot from EFI stub), then this MokListRT variable will not exist. -- You are receiving this mail because: You are on the CC list for the bug.