https://bugzilla.suse.com/show_bug.cgi?id=1209006 https://bugzilla.suse.com/show_bug.cgi?id=1209006#c16 --- Comment #16 from Martin Wilck <martin.wilck@suse.com> --- (In reply to Martin Wilck from comment #15)

(In reply to Joey Lee from comment #9)

...

Base on v6.2 kernel, keys in .machine keyring still must be trusted(signed) by key in built-in/secondary keyring. It applies restrict_link_to_ima and depends on CONFIG_IMA_KEYRINGS_PERMIT_SIGNED_BY_BUILTIN_OR_SECONDARY.

[...]

So keys could be added from the machine keyring to the secondary keyring without being trusted by the secondary keyring beforehand, but such keys could never have been added to the machine keyring in the first place.

That looks like an upstream bug to me.

Sorry, no. I was wrong. https://elixir.bootlin.com/linux/v6.2/source/security/integrity/digsig.c#L13... shows that there is no restriction at all for keys in the machine and platform key rings. But now I fail to see why MoK keys don't make it into the secondary keyring... -- You are receiving this mail because: You are on the CC list for the bug.