Hi Stefan,
Just that we don't use "-nodes" option, but add -addext "extendedKeyUsage=codeSigning"
Thanks I tried removing -nodes and adding that and still no luck. When I removed -nodes it also wanted a PEM pass phrase whereas with -nodes it does not.
Nevertheless now with TW's current lockdowned 6.2.1 kernel we're suffering from the same issue as you. :-(
In this article on Debian and secure boot https://wiki.debian.org/SecureBoot It talks about putting the *.priv and *.der files in /var/lib/shim-signed/mok/ But I tried that and it still doesn't work. It also says to verify your key is loaded after rebooting with mokutil --list-enrolled shows my key is enrolled sudo dmesg | grep cert # verify your key is loaded And I tried and it does not list my key. The fact that I sign the modules yet modprobe fails because it says they are unsigned leads me to believe that there is some other step which needs to be done which is causing the problem. It seems like this kernel lockdown should not be enabled until someone can properly document the exact steps required to sign a module. Doesn't virtualbox have this exact same issue with needing the modules signed? Since it is in the TW repos ( whereas vmware is not ) I would expect whoever compiles virtualbox has a process for signing th modules which works so can't we reach out to them for what they are doing that we are missing? Thanks Joe