On Fri, 22 Jan 2021 06:05:28 +0100, joeyli wrote:
On Wed, Jan 20, 2021 at 10:22:47AM +0100, Takashi Iwai wrote:
On Wed, 20 Jan 2021 09:32:06 +0100, Marcus Meissner wrote:
Some other form of enrollment needs to be considered or e.g. that all KMPs are built in SLES.
Hmm, I don't think it's a good idea. It doesn't scale, and would just bring more burden to both SUSE and openSUSE contributors.
The MOK enrollment itself is an easy action, and once after we have some automatic cert installation via a package chain, the only
We will submit a certificate package for enrolling Leap public key to MOK. Maybe the name is opensuse-leap-kmp-key.rpm or something like this. Then all KMPs depend on this key package.
The package name may need more consideration, but I think putting the dependency in KMP is no good way (although I myself suggested in the above). Think of building a KMP in a devel project or other wild OBS project: bringing the opensuse-leap-kmp-key makes no sense for such a KMP. Also, imaging that you'd need to promote the Leap package to an official SLE sometime later. The dependency on opensuse-leap-kmp-key is rather harmful. So, IMO, it should be enough to let the cert package install once via patterns. (Or somehow automatically when the secure boot is detected? -- maybe it's too complex and error-prone.)
remaining problem is the UI, IMO. We need to improve the dialog in shim itself and/or provide more guidance at installation.
YaST step is a idea. Another idea is that we can try to put a description string when using mokutil, then shim UI shows the description string. e.g. mokutil --root-pw --import public-256.der --desc "openSUSE Leap KMP key"
Then shim UI shows "openSUSE Leap KMP key" when guiding user.
Well, giving a more descriptive name is certainly an improvement, and it'd be a nice change, but the basic problem remains: who would understand what next to do if you look at a dialog showing "openSUSE Leap KMP key"? :) The MOK enrollment procedure itself is non-intuitive, and this must be guided better for novice users. (Admittedly, the procedure is confusing even for experienced users!) thanks, Takashi