7 Mar
2023
7 Mar
'23
12:02
Jiri Slaby wrote:
Note that I'm not much in favor of this "functionality". BUt it's the way it is. We (open/SUSE) are required to have this so that MS will sign our shim. If the problem is policy disallowing signing non-locked-down kernels with a SUSE cert, would it be possible to add a new, unsigned, kernel flavor with the patches removed? (We already have kernel-vanilla which does not have the patches). Any existing certificate is irrelevant to someone who uses secure boot through UKI.