debian/patches/reinstate-enroll.patch


1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16

Description: Upstream pull request incorrectly drops enroll-key option
 When a brand new secureboot key is created, and it hasn't been
 previously enrolled as a mok key, it will be rejected by the
 kernel. After creating a new key, one should be enrolling it.
Index: dkms/dkms.in
===================================================================
--- dkms.orig/dkms.in
+++ dkms/dkms.in
@@ -956,6 +956,7 @@ prepare_signing()
                     fi
                     echo "Certificate or key are missing, generating them using update-secureboot-policy..."
                     SHIM_NOTRIGGER=y update-secureboot-policy --new-key &>/dev/null
+                    update-secureboot-policy --enroll-key
                 fi
 
                 ;;