Comment # 60 on bug 1173158 from Michal Kube��ek

(In reply to Joey Lee from comment #59)
> Yes, I think this is the key point. User should enroll the nolockdown kernel
> key by them self because shim will not embeds this "nolockdown kernel key".
> Microsoft will not sign that shim.

That's a relevant point. Just to be sure I understand: we would have exactly
the same problem if we disabled LOCK_DOWN_IN_EFI_SECURE_BOOT in Leap 15.2
kernel-default and kernel-preempt, wouldn't we?

Also, I didn't check the code but would LOCK_DOWN_IN_EFI_SECURE_BOOT affect
kABI?

But even if we could afford it, I'm still not convinced we should because the
way I see it, such change would make secure boot essentially useless.