Comment # 9 on bug 1190261 from Joey Lee

Hi Martin, 

Actually, I still doesn't know the background after reading this bug. But...

(In reply to Martin Wilck from comment #2)
> Joey, is it possible to use mok-manager to import certificates in DB if
> secureboot is disabled?
> 

No, mok-manager can only be used to enroll certificate to MOK varaible. UEFI DB
is a authenticated variable. MokManager can not write it. Unless user enable
setup mode and run a EFI tool to enroll key to db. But normally machine will
not in setup mode. 

Why you want to use MokManager to enroll DB?

> If it isn't, we could skip the mokutil step in that case.
> 
> Or would it make sense to enroll the certs anyway, just in case SB is
> enabled at a later time?

MokManager still works for enrolling MOK when secure boot is disabled. It's
_NOT_ secure, but works. Enrolling kernel signkey is useful when the CA of the
kernel signkey is different with the CA in shim. Shim can use MOK to verify
kernel binary.

On the other hand, there is a way to detect whether system boot from shim. Just
check the existence of this file: 
/sys/firmware/efi/efivars/MokListRT-605dab50-e046-4300-abb6-3dd810dd8b23

This file is created by shim when booting. If system doesn't boot from shim
(e.g. direct boot from EFI stub), then this MokListRT variable will not exist.