https://bugzilla.suse.com/show_bug.cgi?id=1173158 https://bugzilla.suse.com/show_bug.cgi?id=1173158#c61 --- Comment #61 from Martin Wilck <martin.wilck@suse.com> --- (In reply to Joey Lee from comment #59)

Yes, I think this is the key point. User should enroll the nolockdown kernel key by them self because shim will not embeds this "nolockdown kernel key".

That's not a big problem. The situation would be the same as we have today with TW and Leap 15.1. The deployment of the new key via mokutil is pretty streamlined and yet safe.

Microsoft will not sign that shim.

The shim shipped by openSUSE *is* signed by Microsoft, despite the fact that no openSUSE kernel released in the last few years had the lockdown feature. Or am I getting that wrong? (In reply to Michal Kubeček from comment #60)

But even if we could afford it, I'm still not convinced we should because the way I see it, such change would make secure boot essentially useless.

You're probably aware that opinions on this subject differ strongly, even among the experts. While I tend to agree in principle, please let's realize that until a few days ago, no Leap 15 kernel was enforcing signed modules. We might all have our secure boot chain subverted years ago, and never noticed. IOW, secure boot has always been "useless" on Leap. openSUSE can only improve in this area. -- You are receiving this mail because: You are the assignee for the bug.