Hi Joe, On Tue, Jun 13, 2023 at 04:41:03PM -0400, Joe Salmeri wrote:
On 6/12/23 05:12, Stefan Dirsch wrote:
The key for the kernel is always the same, so enrolled once in MOK. (Once
every time you install a kernel from a different project.)
But nvidia is different, right? The key differs on every update. Or not? Exactly. With each nvidia driver *and* kernel update we generate a new key/certificate. Unfortunately we can't keep the SB key on the disk for security reasons.
I don't use nvidia, but doesn't that mean that the MOK is going to end up with lots of keys for older nvidia drivers which are no longer even installed ?
Per my understood, old one time key will be removed.
Could a user run into some limit on the number of keys installed ?
It depends on the NVRAM size of firmware. Different firmware reserved different space for EFI variables. Should check with firmware team. Thanks Joey Lee