On 6/14/23 07:04, Michal Suchánek wrote:
And why does it have to be one time key? That's what upstream recomends but it also recommends to make lockdown independet of secure boot, and next to nobody uses that.
From the https://wiki.ubuntu.com/UEFI/SecureBoot/DKMS DKMS documentation it looks like it uses a permanent key.
Of course, storing permanent key on disk is somewhat less secure than ephemeral key but besides usability there is also the concern of wearing down the flash storage holding firmware configuration by enrolling new key on every update.
Thanks
Michal
For non-rolling distros, that wouldn't be a concern, but for rolling distros, that would be a lot of updates. I'd like to believe that it would not cause the flash to fail sooner, but I imagine having to replace your motherboard because the flash failed. I guess one could turn off secure boot if that happened, however, wouldn't that be a write to the same flash that failed ? -- Regards, Joe