Re: "aside about secure boot"
> Oh guess who owns the secure boot keys for all your favourite Linux distros.. Would be a shame if they stopped working,
Well if I look at the secure boot keys on my box
firmware keys:
PK:
/CN=HPE UEFI Secure Boot 2016 PK Key/OU=CODE-SIGN/C=US/O=Hewlett Packard Enterprise Company
KEK:
/CN=SUSE Linux Enterprise Secure Boot CA/C=DE/L=Nuremberg/O=SUSE Linux Products GmbH/OU=Build Team/emailAddress=build@suse.de
/C=US/ST=Washington/L=Redmond/O=Microsoft Corporation/CN=Microsoft Corporation KEK CA 2011
/CN=HPE UEFI Secure Boot 2016 KEK Key/OU=CODE-SIGN/C=US/O=Hewlett Packard Enterprise Company
db:
/C=US/ST=California/L=Palo Alto/O=VMware, Inc./CN=VMware Secure Boot Signing
/C=US/ST=California/L=Palo Alto/O=VMware, Inc.
/CN=SUSE Linux Enterprise Secure Boot Signkey/C=DE/L=Nuremberg/O=SUSE Linux Products GmbH/OU=Build Team/emailAddress=build@suse.de
/C=US/ST=Washington/L=Redmond/O=Microsoft Corporation/CN=Microsoft Windows Production PCA 2011
/C=US/ST=Washington/L=Redmond/O=Microsoft Corporation/CN=Microsoft Corporation UEFI CA 2011
/O=Hewlett-Packard Company/OU=Long Lived CodeSigning Certificate/CN=HP UEFI Secure Boot 2013 DB key
/CN=HPE UEFI Secure Boot 2016 DB Key/OU=CODE-SIGN/C=US/O=Hewlett Packard Enterprise Company
They seem to list SUSE Linux above Microsoft. These are the factory loaded keys.
So I guess if MS stopped signing the shim.efi file SUSE could do it as well.
I'm not running SUSE, this particular box is actually running dead rat, but most of mine are on Alma these days.
I keep meaning to workout how I can get the public key stuff to let me use shimx64-redhat.efi, or any other distros equivalent file.