[abelsson]

That’s fine, assuming we pass laws mandating that signing keys can be controlled by end users. Otherwise we end up where no-one really owns their devices any more, every device would be merely temporarily rented.

[420official]

How could that work? A consumer would be required to build the firmware and flash it to the product themselves?

[abelsson]

Of course not. Having the ability to add or modify root CAs in browsers doesn’t imply a requirement to sign every webpage yourself either.

[westurner]

NVIDIA GPU Linux kernel modules must be self-signed to work with SecureBoot enabled; they must be self-signed every time they're updated by an akmod package upgrade.

So, it is necessary to remove the MS SecureBoot ~CApubkey and add the OS and local ~CApubkeys to the SecureBoot cert list with BIOS, and re-sign every module install|&build in order to work with NVIDIA (and probably also AMD?) in containers.

It's necessary and a fair expectation that users will continue to be able to remove and add x86-64 SecureBoot bootloader signing keys.