Jan Janssen

> It makes sense to sign the `shim` even with self-enrolled keys because support for kernel module signatures with the `lockdown` LSM is gated behind it. (I could rant at...

Well, this is silly. Considering https://github.com/systemd/systemd/pull/20255 has landed now, it could be extended to also enroll a MOK for these kind of cases…

> You would still need to have the shim there, unless you have `sd-boot` setup the EFI configuration table :) The idea would be that for this pseudo-shim support, you'd...

> Mm, the kernel refuses to read the `MOK` variables unless they are present in the EFI configuration table. I see. But installing the MOK key store should be a...

But that's the idea, no? Provide a MOK store so that the user can give the kernel a trusted key for kernel module signing, while relying on the regular UEFI...

Fedora ci is failing because it passes `--auto-features=enabled`. It needs to disable `libidn` and `passwdqc`

Now it's having the same error that mkosi had, requesting polkit support without it being installed: ` meson.build:1159:12: ERROR: Dependency "polkit-gobject-1" not found, tried pkgconfig `

/packit build

I added one more commit that simplifies efi test/fuzz definitions.

It's just another case of overlapping PE sections (which in this case are not detected by the stub as code execution doesn't get far enough). The proper solution is porting...