On Wed, 14 Jun 2023 13:07:41 +0200, Michal Suchánek wrote:
On Tue, Jun 13, 2023 at 03:02:24PM +0200, Takashi Iwai wrote:
On Tue, 13 Jun 2023 14:50:36 +0200, Vlastimil Babka wrote:
On 6/13/23 14:46, Takashi Iwai wrote:
On Tue, 13 Jun 2023 13:10:53 +0200, Michal Suchánek wrote:
Hello,
As already said the status of --sb-state is irrelevant.
We have one place where the user expresses desire to use secure boot, and it's here:
/etc/sysconfig/bootloader:SECURE_BOOT="yes"
If that's yes, the platform supports secure boot, and it happens to be disabled, all the setup for making secure boot work should be done anyway.
If the user does not want to use secure boot ever they can change this setting. There is no other way to tell if the secure boot is disabled 'temporarily' or 'permanently' on a platform that does supporte secure boot.
... and we have one place where the user expresses desire to use secure boot *on the whole system*: BIOS setup. That wins over whatever OS sets up. And, the --sb-state option corresponds to it. Hence checking it makes sense, too, if your logic applies :)
OTOH, it'd be certainly safer to deploy MOK no matter what value sb-state option has for avoiding the possible cases. So, it doesn't sound too bad to use /etc/sysconfig/bootlader:SECURE_BOOT as a checker instead of sb-state option -- as long as it's well documented.
Or, ideally, have a GUI to tweak this...
AFAIK the GUI is yast2-bootloader, checkbox "Secure Boot support".
Oh, thanks.
Then this made me wonder how we can do handle better: I don't think this checkbox will do the automatic MOK deployment when nvidia driver was installed beforehand. So, have a check of /etc/sysconfig/bootloader:SECURE_BOOT instead of --sb-state option would give you a similar dilemma. When switching it, it won't work automagically but some manual work is still needed.
The default is to enable secure boot when it is supported. If you disable it then you do not get keys enrolled, and it's difficult to fix.
Something that could be improved but is somwhat unrelated to the probblem at hand. It's been like this on Leap for years.
True, and it implies that this switch isn't much used, too ;) Takashi