dkms: reinstate --enroll-key

[evelikov]

This is a Debian/Ubuntu patch, the following is their original commit message:

When a brand new secureboot key is created, and it hasn't been
previously enrolled as a mok key, it will be rejected by the
kernel. After creating a new key, one should be enrolling it.

Side note: The update-secureboot-policy script seemingly originates from Ubuntu, where Debian has an ancient copy, which lacks both --new-key and --enroll-key.

Fixes: 3ca52f8 ("Fix signing on ubuntu & debian (#244)")

@xuzhen @anbe42 jfyi

[xuzhen]

If we're going to do this on Ubuntu, what about other distros? The behavior of dkms on each distribution should be as consistent as possible.

And before 3ca52f8, dkms will checked if secureboot was enabled before enrolling the key. Without those code, update-secureboot-policy --enroll-key will show unnecessary errors in output on platforms that do not enable or support secureboot.

[evelikov]

Welcome back @xuzhen p/

Yes, ideally dkms will have zero knowledge about distribution specifics.

From a quick look the vast majority are caused by our open-coding of the installation/copy/strip/sign stages. Off the top of my head all of that can be avoided by using the kernel module_install rule. I am itching to give that a try, although it has a much greater chance of causing issues - hence the quick fix here.

The patch is taken as-is from the Debian repo, so it should not cause (too many) errors. CI also looks happy so we can fix any issues as follow-up.

[xuzhen]

I think we should mention this special handling for Ubuntu in README.md

[evelikov]

Looking at the README - it had a few typos + was misleadingly mentioning Debian. Thanks o/