Comment # 24 on bug 1209006 from 
From
https://lore.kernel.org/all/20220928055900.GT4909@linux-l9pv.suse/t/#m3ce7e451f1855d9c432965bb896cb7ce0f89e009:

> The end-user will now need to enroll two keys. First the CA Key into the MOK and then the leaf cert into the secondary trusted keyring.

HOW would the user add this leaf cert? I am not getting it. From the PDF slides
I got the impression that the "Root user" would play a role here, but I
couldn't figure out how this would work, in particular how the root user's cert
would be added to the kernel.

Wrt the general mind set, I agree with Michal.

IMO the biggest issue is that IMA is disabled as soon as a .machine keyring is
populated. That looks like a political movement of upstream with the intention
to deter people from using MoK (and thus, 3rd party modules).

Most of the main actors behind the current changes seem be IBM employees, plus
the Oracle guy. I guess their intention is to find an upstream-accepted
framework that would keep IMA functional while allowing a root of trust outside
the kernel itself.
If they succeed without breaking the current, _relatively_ easy-to-use way to
combine 3rd party modules with distro kernels, we might be able to drop our
downstream patches, which would be a good thing. But AFAICS their approach
would be harder to use, unless some additonal tooling is invented or
incorporated in mokutil. MokListTrustedRT ist just an annoyance.

You are receiving this mail because: