#1076269 enroll DKMS signing key / automate running "sudo mokutil --import /var/lib/dkms/mok.pub"

#1076269#5
Date:
2024-07-13 12:19:00 UTC
From:
To:
Dear maintainer,

as of Debian bookworm, the most non-intuitive, difficult for users to
figure out setup step that must be applied on Secure Boot enabled
systems is the following:

     sudo mokutil --import /var/lib/dkms/mok.pub

This is documented in DKMS readme [1] but that is not easily discovered
by users.

Hence my feature request is to enroll DKMS signing key / automate
running "sudo mokutil --import /var/lib/dkms/mok.pub". As far as I
understand the DKMS and update-secureboot-policy source code in Ubuntu,
it seems that this is already a default feature in Ubuntu. In other
words, it seems Ubuntu is automating the DKMS signing key enrollment.

I have also reported this issue upstream to DKMS [2] because according
to DKMS source code comment,

 > Debian's update-secureboot-policy has no --new-key option

this might be a Debian specific issue here, hence also reporting against
Debian's DKMS package.

Cheers,
Patrick

[1] https://github.com/dell/dkms?tab=readme-ov-file#secure-boot

[2] automate running "`sudo mokutil --import /var/lib/dkms/mok.pub`"
https://github.com/dell/dkms/issues/429