Comment # 25 on bug 1173158 from Ludwig Nussel

(In reply to Martin Wilck from comment #24)
> > In the worst case if storing the private key really is a
> > concern, a new one could be created for each rebuild of the ko and the
> > private key deleted afterwards.
> 
> That I'd really call the worst case. The whole MOK concept only makes sense
> if you generate a key that you intend to trust, and keep that key reasonably
> safe. If you're not willing to do that, you'll be better off by just
> disabling secure boot (or use unsigned modules).

I'm not disagreeing. The options for an out of the box experience with secure
boot + proprietary kernel modules that doesn't suck are limited though. As I
said, pick your poison. If mok wanting to import keys on kernel updates once
per month is annoying (how annoying highly depends on the UI we offer though),
users will ask dr google who would then hopefully point to an article on the
opensuse wiki explaining alternatives such as turning off secure boot, not
using the nvidia driver or configuring some fancy secret key retrieval script.
That's still better than the kernel silently (yes, logging into dmesg is still
pretty silent) not loading the kernel module resulting in a crashing X or so.