https://bugzilla.suse.com/show_bug.cgi?id=1173158 https://bugzilla.suse.com/show_bug.cgi?id=1173158#c60 --- Comment #60 from Michal Kubeček <mkubecek@suse.com> --- (In reply to Joey Lee from comment #59)

Yes, I think this is the key point. User should enroll the nolockdown kernel key by them self because shim will not embeds this "nolockdown kernel key". Microsoft will not sign that shim.

That's a relevant point. Just to be sure I understand: we would have exactly the same problem if we disabled LOCK_DOWN_IN_EFI_SECURE_BOOT in Leap 15.2 kernel-default and kernel-preempt, wouldn't we? Also, I didn't check the code but would LOCK_DOWN_IN_EFI_SECURE_BOOT affect kABI? But even if we could afford it, I'm still not convinced we should because the way I see it, such change would make secure boot essentially useless. -- You are receiving this mail because: You are the assignee for the bug.