Add check and user warning for missing MOK key enrollment after Secure Boot system upgrade (LMDE 7)

[Saryndor]

Description

When upgrading LMDE 6 → LMDE 7 on systems with Secure Boot enabled and DKMS-based packages (e.g., NVIDIA driver, VirtualBox, VMware), the upgrade completes successfully, but after reboot the new DKMS modules fail to load until the DKMS MOK key is enrolled.

Currently, mintupgrade doesn’t warn about this situation, even though all relevant indicators are available:

• Secure Boot state can be checked via mokutil --sb-state
• DKMS packages are known via dkms status
• DKMS automatically creates /var/lib/dkms/mok.pub when it generates a new local keypair

A short post-upgrade check could detect this and display a simple message:

Secure Boot is enabled and new DKMS modules were built.
To ensure they load correctly, enroll the DKMS MOK key:

sudo mokutil --import /var/lib/dkms/mok.pub

Then confirm the enrollment at the next reboot.

This would prevent confusion where users see “missing key – tainting kernel” or boot into text mode after driver updates, even though the installation technically succeeded.

Environment

Verified on LMDE 7 (Debian Trixie base) with NVIDIA driver 550.163.01.
DKMS builds succeeded, but modules remained unsigned until manual MOK enrollment.

Suggestion

Add a simple check and user warning during or after the upgrade process.