[michaelt]

> Which is strange because secure boot should be useful in _exactly_ the situation you don't have physical control of the HW, shouldn't it?

One of the ways you can introduce your own signing key is as a Machine Owner Key, using the "MOK Manager"

But a design goal of this software was: We don't want malware with root to be able to introduce a MOK without the user's consent, as then the malware could sign itself. So "MOK Manager" was deliberately designed to require keyboard-and-mouse interaction, early in boot before the network has been brought up.

Of course if your server has a KVM attached, you can still do this remotely, I guess.