Package: shim-signed Version: 1+2.04+17 When upgrading a bullseye installation on a machine with dkms installed, an update to shim-signed posted the following pop-up for me twice: --- UEFI Secure Boot is not compatible with the use of third-party drivers.
The system will assist you in toggling UEFI Secure Boot. To ensure that this change is being made by you as an authorized user, and not by an attacker, you must choose a password now and then use the same password after reboot to confirm the change. If you choose to proceed but do not confirm the password upon reboot, the Secure Boot configuration will not be changed, and the machine will continue booting as before. If Secure Boot remains enabled on your system, your system may still boot but any hardware that requires third-party drivers to work correctly may not be usable. --- Apart from the bit where this was completely not needed (kernel image didn't change), this message is misleading. Debian *cannot* disable UEFI Secure Boot. What happens is that shim disables verification, and the kernel ends up not enabling lockdown mode. My concern is that the vagueness of the description, coupled with the vast of amount of documentation online (including the Debian wiki) casually suggesting disabling Secure Boot if there are any isuse, will lead to users with perfectly functioning secure installations manually disabling UEFI Secure Boot on reboot. What this text *should* be saying is something like: --- Third-party drivers must be manually signed/installed for newly installed kernels The system will assist you in disabling kernel image/module verification. To ensure that this change is being made by you as an authorized user, and not by an attacker, you must choose a password now and then use the same password after reboot to confirm the change. If you choose to proceed but do not confirm the password upon reboot, the kernel image/module verification configuration will not be changed, and the machine will continue booting as before. If kernel image/module verification remains enabled on your system, your system may still boot but any hardware that requires third-party drivers to work correctly may not be usable. ---
