Bug#930759: mokutil(1) refers to non-existent "--enroll-validation"
On Fri, 2021-07-02 at 21:02 +0200, Julian Andres Klode wrote: > On Thu, Apr 08, 2021 at 02:20:36PM -0700, Adam Williamson wrote: > > Well, upstream has fixed s/enroll/enable/ . But it has not added any > > useful explanation of what this does, nor why it prompts for a password > > It enables validation in shim, as the manual page says - it's the > opposite of disable-validation. > > > and what that password does. > > It's hardly mokutil's job to explain mokmanager's inner workings, > but as I'm surely aware you know, any action needs to be confirmed > at boot by a password - or specific characters thereof (sigh). I didn't actually know that, no. I was completely confused until someone explained this to me on IRC. > > It's a very specific tool to control MokManager that's not really > suitable for end users, but for distro developers building integration > so I think both things are kind of non-issues. However, it is actually necessary for end users in at least one specific case: developer edition Dell laptops (which are quite popular among Linux users). These ship with Secure Boot enabled at the firmware level, but disabled at the MOK level. Running this command is exactly what you have to do to actually enable Secure Boot properly on those laptops. See https://bodhi.fedoraproject.org/updates/FEDORA-2021-cab258a413#comment-1978725 for me being completely confused about that command. -- Adam Williamson Fedora QA IRC: adamw | Twitter: adamw_ha https://www.happyassassin.net
Bug#930759: mokutil(1) refers to non-existent "--enroll-validation"
On Thu, Apr 08, 2021 at 02:20:36PM -0700, Adam Williamson wrote: > Well, upstream has fixed s/enroll/enable/ . But it has not added any > useful explanation of what this does, nor why it prompts for a password It enables validation in shim, as the manual page says - it's the opposite of disable-validation. > and what that password does. It's hardly mokutil's job to explain mokmanager's inner workings, but as I'm surely aware you know, any action needs to be confirmed at boot by a password - or specific characters thereof (sigh). It's a very specific tool to control MokManager that's not really suitable for end users, but for distro developers building integration so I think both things are kind of non-issues. -- debian developer - deb.li/jak | jak-linux.org - free software dev ubuntu core developer i speak de, en
Bug#930759: mokutil(1) refers to non-existent "--enroll-validation"
Well, upstream has fixed s/enroll/enable/ . But it has not added any useful explanation of what this does, nor why it prompts for a password and what that password does. -- Adam Williamson Fedora QA IRC: adamw | Twitter: adamw_ha https://www.happyassassin.net
Bug#930759: mokutil(1) refers to non-existent "--enroll-validation"
On Wed, Jun 19, 2019 at 10:07:44PM -0400, Antoine Beaupre wrote: >Package: mokutil >Version: 0.3.0+1538710437.fb6250f-1 >Severity: minor > >mokutil(1) has this to say about "validation": > > mokutil [--disable-validation] > mokutil [--enable-validation] > > [...] > > --disable-validation > Disable the validation process in shim > > --enrolled-validation > Enable the validation process in shim > >This seems like a contradiction: is it `enrolled` or `enable`? I tried >`enable` and it worked, so maybe it's the first? In any case, it seems >the manpage should be fixed. It's definitely just a manpage bug, and it's been fixed upstream. Should have that fix soon, I hope. -- Steve McIntyre, Cambridge, UK.st...@einval.com "I used to be the first kid on the block wanting a cranial implant, now I want to be the first with a cranial firewall. " -- Charlie Stross
Bug#930759: mokutil(1) refers to non-existent "--enroll-validation"
Package: mokutil Version: 0.3.0+1538710437.fb6250f-1 Severity: minor mokutil(1) has this to say about "validation": mokutil [--disable-validation] mokutil [--enable-validation] [...] --disable-validation Disable the validation process in shim --enrolled-validation Enable the validation process in shim This seems like a contradiction: is it `enrolled` or `enable`? I tried `enable` and it worked, so maybe it's the first? In any case, it seems the manpage should be fixed. For some mysterious reason, `mokutil --enable-validation` is the magic thing I had to do to get secureboot working here. I have no idea what it does and the manpage doesn't really explain that beyond saying "it enables the validation, duh". It would be great if the docs would actually say what that thing actually does so I'm not totally in the dark about what i'm doing with this uber secure thing. :) Why does that thing prompt for a password anyways? A. -- System Information: Debian Release: 10.0 APT prefers testing APT policy: (500, 'testing'), (1, 'experimental'), (1, 'unstable') Architecture: amd64 (x86_64) Kernel: Linux 4.19.0-5-amd64 (SMP w/4 CPU cores) Locale: LANG=fr_CA.UTF-8, LC_CTYPE=fr_CA.UTF-8 (charmap=UTF-8), LANGUAGE=fr_CA.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /usr/bin/dash Init: systemd (via /run/systemd/system) LSM: AppArmor: enabled Versions of packages mokutil depends on: ii libc6 2.28-10 ii libefivar1 37-2 ii libssl1.1 1.1.1c-1 mokutil recommends no packages. mokutil suggests no packages. -- debconf-show failed
