http://bugzilla.opensuse.org/show_bug.cgi?id=1209006 http://bugzilla.opensuse.org/show_bug.cgi?id=1209006#c21 Joey Lee <jlee@suse.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Flags|needinfo?(jlee@suse.com) | --- Comment #21 from Joey Lee <jlee@suse.com> --- For reference, kernel upstream's plan of .platform and .machine keyrings is here: keyrings, key usage, and trust models https://lore.kernel.org/all/20220928055900.GT4909@linux-l9pv.suse/t/#m3ce7e4... And, a PDF slides. Those pictures may be useful: https://static.sched.com/hosted_files/lssna2022/18/LSS%202022%20trust%20and%... Newest patch set: [PATCH v5 0/6] Add CA enforcement keyring restrictions https://lore.kernel.org/lkml/20230302164652.83571-1-eric.snowberg@oracle.com... Per my understood, "keys in UEFI db" only be trusted to verify booting/kexec. And MOKs also can be used to verify booting/kexec. CA MOKs can be used to verify keys for .ima keyring. -- You are receiving this mail because: You are on the CC list for the bug.