enroll-keys --export option does not works when SB is in User mode

[Shished]

sbctl enroll-keys always checks if Secure Boot is set to setup mode even when it is not needed, like when using a new export option. Other tools can export the values when SB is in user mode. Error message is the same as when trying to enroll the keys.

$ sbctl enroll-keys --export esl
Your system is not in Setup Mode! Please reboot your machine and reset secure boot keys before attempting to enroll the keys.

Used sbctl version 0.12 on Arch Linux.

[Foxboron]

Mm, why do you want to export the esl though? It should be partially identical to what you find in efivarfs and the intent of this is to use through a secondary enrollment thing.

[Shished]

I used it as an example, it shows same behaviour when enroll-keys --export auth option is used. Also, if a program provides an option to do something, it should do the thing, shouldn't it?

$ sbctl enroll-keys --export auth
Your system is not in Setup Mode! Please reboot your machine and reset secure boot keys before attempting to enroll the keys.

And it still does nothing.

[schmidicom]

Mm, why do you want to export the esl though? It should be partially identical to what you find in efivarfs and the intent of this is to use through a secondary enrollment thing.

This could be used for a feature of systemd-boot. This feature could automatically store the keys again after the firmware has been reset (for whatever reason) without having to do it manually with sbctl. https://www.freedesktop.org/software/systemd/man/latest/loader.conf.html#secure-boot-enroll But systemd-boot can only do this if the keys were previously exported as "auth" files to the "/loader/keys/" folder.

[Foxboron]

This makes sense.