For example one that will allow you to enter sb setup mode, clear EFI keys, but not offer a way to enroll new ones from the firmware setup UI. While simultaneously making the EFI KeyTool fail enrollment with a cryptic error message. :)
The Arch wiki also adds some additional warnings that you may want to check into. For instance, my Thinkpad with an Nvidia GPU will be bricked if I use the normal API to load secure boot keys, because on boot certain firmware is executed before the setup utility, which means that if that firmware fails verification, the entire laptop becomes unbootable. The workaround (load keys through the UEFI setup utility instead of any other tools) doesn't let me get rid of the manufacturer keys and take full control, unfortunately. I'll keep Lenovo's choices here in mind next time I buy a laptop.
Thanks to updates to sbctl, you can create keys with `sbctl create-keys` rather than typing out complex openssl commands. sbctl's `enroll-keys` should also make the key enrollment procedure easier.
Your distro probably also comes with an optional package manager hook so you don't need to repeat the sign commands every time your bootloader updates.
sylware•2h ago
...