Control: tag -1 wontfix
Control: severity -1 wishlist
On Sat, Oct 05, 2024 at 03:42:58PM +1000, Russell Coker wrote:
>Package: mokutil
>Version: 0.6.0-2+b1
>Severity: normal
>
>https://wiki.debian.org/SecureBoot
>
>The Debian wiki page about SecureBoot has the following instructions:
>
># mkdir -p /var/lib/shim-signed/mok/
># cd /var/lib/shim-signed/mok/
># openssl req -nodes -new -x509 -newkey rsa:2048 -keyout MOK.priv -outform DER
>-out MOK.der -days 36500 -subj "/CN=My Name/"
># openssl x509 -inform der -in MOK.der -out MOK.pem
>
>$ sudo mokutil --import /var/lib/dkms/mok.pub # prompts for one-time password
>$ sudo mokutil --list-new # recheck your key will be prompted on next boot
>
>I think that this should be done on installation by this package. The
>mokutil command can't be used for it's actual things until this is done
>so there's not much point in having it installed without this being done.
No, not at all. Mokutil is also very useful for diagnostics on a SB
system, e.g.:
lump:~$ mokutil --db | head -10
[key 1]
SHA1 Fingerprint: 46:de:f6:3b:5c:e6:1c:f8:ba:0d:e2:e6:63:9c:10:19:d0:ed:14:f3
Certificate:
Data:
Version: 3 (0x2)
Serial Number:
61:08:d3:c4:00:00:00:00:00:04
Signature Algorithm: sha256WithRSAEncryption
Issuer: C=US, ST=Washington, L=Redmond, O=Microsoft Corporation,
CN=Microsoft Corporation Third Party Marketplace Root
Validity
lump:~$ mokutil --sb-state
SecureBoot disabled
Not everybody is using the package to enrol keys...
--
Steve McIntyre, Cambridge, UK. st...@einval.com
"I've only once written 'SQL is my bitch' in a comment. But that code
is in use on a military site..." -- Simon Booth
