On Thu, 15 Jun 2023 09:15:38 +0200, joeyli wrote:
On Wed, Jun 14, 2023 at 01:13:19PM +0200, Takashi Iwai wrote:
On Wed, 14 Jun 2023 13:07:41 +0200, Michal Suchánek wrote:
On Tue, Jun 13, 2023 at 03:02:24PM +0200, Takashi Iwai wrote:
On Tue, 13 Jun 2023 14:50:36 +0200, Vlastimil Babka wrote:
On 6/13/23 14:46, Takashi Iwai wrote:
On Tue, 13 Jun 2023 13:10:53 +0200, Michal Suchánek wrote: > > Hello, > > > As already said the status of --sb-state is irrelevant. > > We have one place where the user expresses desire to use secure boot, > and it's here: > > /etc/sysconfig/bootloader:SECURE_BOOT="yes" > > If that's yes, the platform supports secure boot, and it happens to be > disabled, all the setup for making secure boot work should be done > anyway. > > If the user does not want to use secure boot ever they can change this > setting. There is no other way to tell if the secure boot is disabled > 'temporarily' or 'permanently' on a platform that does supporte secure > boot.
... and we have one place where the user expresses desire to use secure boot *on the whole system*: BIOS setup. That wins over whatever OS sets up. And, the --sb-state option corresponds to it. Hence checking it makes sense, too, if your logic applies :)
OTOH, it'd be certainly safer to deploy MOK no matter what value sb-state option has for avoiding the possible cases. So, it doesn't sound too bad to use /etc/sysconfig/bootlader:SECURE_BOOT as a checker instead of sb-state option -- as long as it's well documented.
Or, ideally, have a GUI to tweak this...
AFAIK the GUI is yast2-bootloader, checkbox "Secure Boot support".
Oh, thanks.
Then this made me wonder how we can do handle better: I don't think this checkbox will do the automatic MOK deployment when nvidia driver was installed beforehand. So, have a check of /etc/sysconfig/bootloader:SECURE_BOOT instead of --sb-state option would give you a similar dilemma. When switching it, it won't work automagically but some manual work is still needed.
The default is to enable secure boot when it is supported. If you disable it then you do not get keys enrolled, and it's difficult to fix.
Something that could be improved but is somwhat unrelated to the probblem at hand. It's been like this on Leap for years.
True, and it implies that this switch isn't much used, too ;)
I have discussed the bootloader:SECURE_BOOT flag with Gary Lin yesterday. If user choice NO (did not select it when installation), then shim and signed-grub2 will not be installed. A unsigned(?) grub2 will be used.
It sounds good, but also it means that, when this checkbox is toggled on the running system, shim and signed-grub2 have to be installed automatically? I believe YaST currently just toggles the config variable, but we'll need more than that. thanks, Takashi