Enabling Secure Boot with enroll-keys

[tblancher]

This is not a problem, per se. My experience conflicts with what @Foxboron told me. I had submitted a PR to fix a typo and take language out that suggested sbctl enroll-keys enabled Secure Boot automatically.

For me, that is exactly true: running sbctl enroll-keys --microsoft did indeed enable Secure Boot, and I didn't need to subsequently enable it in my UEFI firmware settings. I have a Lenovo ThinkPad X1 Carbon, 11th Gen, and I've gone into Setup Mode a few times to fix various issues. To enable Secure Boot again I always have to run sbctl enroll-keys --microsoft, and no further action is required to enable Secure Boot.

I imagine this is hardware- or manufacturer-, or at least UEFI firmware vendor-dependent. With my X1 Carbon, whenever I enable Setup Mode there is always a warning that doing so will clear the Platform key. I think this is the reason why enabling Secure Boot in the UEFI firmware settings doesn't work by itself (where are you supposed to get the Platform key?). At least my X1 Carbon needs the OS to install the Platform key (this is ostensibly what sbctl enroll-keys does, among other things), and doing so for this hardware automatically re-enables Secure Boot.

[Foxboron]

I don't see anything actionable in this issue. What is the intent with this?

[tblancher]

This really should go under the Discussions section, but I don't see one in this GitHub project.

EDIT: Oh, I thought I saw Discussion section on another GitHub project, but I'm not finding it now. I must have seen it somewhere else.

EDIT2: I did see a Discussions section on a GitHub project, it looks like it has to be explicitly enabled by the project owner. See qutebrowser/qutebrowser for an example.

[Foxboron]

The discussion section has been enabled so I'll just close this issue :)