Comment 4 for bug 1993646

Makes sense, and as Erich pointed out, the MOK is the machine *owner* key, so having an OEM automatically enroll it is invasive and, as you point out, dangerous. However, at the same time, it looks to me like OEM installations aren't compatible with Secure Boot, so figuring out some way to fix that may be helpful. Perhaps it would be possible to make the generation and enrollment of the MOK key happen after the user turns the system on and sets it up for the first time?