On Fri, Jul 14, 2023 at 10:52:20AM +0200, Ard Biesheuvel wrote: > Maybe the OEMs have gotten better at this over the years, but it is > definitely not possible for the distros to rely on being able to get > their own cert into KEK and sign their builds directly. Getting certs into local machine databases should[1] be possible on all Windows certified machines, but in the status-quo there's no cross-vendor solution to doing this. Relying on the Shim-provided mechanisms is much safer from a consistency perspective. [1] Every time someone has claimed it's impossible to me I've ended up demonstrating otherwise, but that's not a guarantee
