On 06/03/2023 00:23, Jiri Slaby wrote:
Trust me, if there is any widespread problem, I will revert the patchset from TW instantly. And let them retry later, when all is settled. Unfortunately without this trial phase, we cannot find out.
Note that I'm not much in favor of this "functionality". BUt it's the way it is. We (open/SUSE) are required to have this so that MS will sign our shim.
So, does the patchset break many people's computer with nvidia or not?
thanks,
Short answer is yes it caused at least some people problems: on installing 6.2.1, if users with Tumbleweed+NVIDIA+Secure Boot took no additional actions, they definitely had no display on the next reboot. I can provide anecdotes from Reddit: https://www.reddit.com/r/openSUSE/comments/11hmjqh/warning_tumbleweed_kernel... Now that Stefan knows and has enabled the signing functionality in TW RPMs things are better, but it still requires attention & manual intervention to re-enroll the key every so often, so it is not completely painless. If this patchset will stay in the standard kernel variants signed by the official key, one suggestion I have is to provide another kernel variant with lockdown off, signed by a different key. This different kernel signing key will still need manual trust once after install to keep the shim "pure", but doing that should be easier for users than having to deal with a set of local keys for each external module. Thanks, T