Hi, A few months ago, it took me a long long time to figure out how to do this and write it in this wiki page: https://wiki.debian.org/SecureBoot#MOK_-_Machine_Owner_Key
This works very well, but I wonder if we could automate this by having a hook in DKMS, so that any DKMS rebuild would also sign the DKMS modules. Indeed, it's very annoying that I have to resign the modules manually whenever the kernel increases version (in my case, I need to sign the 3 virtualbox kernel modules...). Maybe we could have a standard path where to store the machine key, and DKMS would use it? Maybe having a /etc/default/dkms where to configure this? Of course, I am aware that this probably is a security problem. Someone more knowledgeable than me with secure boot could explain why, and how to mitigate the risks, how to store my machine owner key, etc. But for me, usability is more important, and secure boot is still nice. Maybe there's a way to get this safe, like encrypting the MOK and prompt for a password every time? Thoughts anyone? Cheers, Thomas Goirand (zigo)
