On Fri, 2023-07-21 at 16:22 +0100, Luca Boccassi wrote: > On Fri, 21 Jul 2023 at 16:14, Luca Boccassi <bluca@xxxxxxxxxx> wrote: [...] > > Anyway, I wasn't aware that SUSE doesn't embed their cert in Shim, > > we'll have to take that in consideration for sure. > > Actually, a dev from SUSE's security just confirmed they embed their > CA in Shim like every other distribution. Nobody seems to be aware of > any example where a distribution relies exclusively on MoK - and > that's understandable, as that would mean failing to boot by default > on a new machine. Do you have any example/cases where that's actually > happening? Outside development/local signing/etc. It happened last year for an openSUSE Leap update that changed the kernel signing certificate. I got asked to confirm acceptance of the new key and it got put in my MokList, which now has three certificates: two suse ones and my own. James
