On Fri, 2021-07-02 at 21:02 +0200, Julian Andres Klode wrote: > On Thu, Apr 08, 2021 at 02:20:36PM -0700, Adam Williamson wrote: > > Well, upstream has fixed s/enroll/enable/ . But it has not added any > > useful explanation of what this does, nor why it prompts for a password > > It enables validation in shim, as the manual page says - it's the > opposite of disable-validation. > > > and what that password does. > > It's hardly mokutil's job to explain mokmanager's inner workings, > but as I'm surely aware you know, any action needs to be confirmed > at boot by a password - or specific characters thereof (sigh).
I didn't actually know that, no. I was completely confused until someone explained this to me on IRC. > > It's a very specific tool to control MokManager that's not really > suitable for end users, but for distro developers building integration > so I think both things are kind of non-issues. However, it is actually necessary for end users in at least one specific case: developer edition Dell laptops (which are quite popular among Linux users). These ship with Secure Boot enabled at the firmware level, but disabled at the MOK level. Running this command is exactly what you have to do to actually enable Secure Boot properly on those laptops. See https://bodhi.fedoraproject.org/updates/FEDORA-2021-cab258a413#comment-1978725 for me being completely confused about that command. -- Adam Williamson Fedora QA IRC: adamw | Twitter: adamw_ha https://www.happyassassin.net