Comment # 27 on bug 1173115 from 
While integrating the check for kernel keyring, I think the CA check is still
useful for kernel packages. Especially when rotating the Signkey, the keyring
check doesn't avoid the new Signkey from being enrolled.

I would like to make CA check in mokutil optional and only enforce the CA check
when installing a kernel package. Since the built-in signkey is usually also
the key to sign kernel itself, if the CA of the signkey is already in MOK or
shim, it's safe to skip the enrollment of the signkey.

For KMP, we only apply the kernel keyring check, not the CA check, so that PTF
KMP can still enroll its key in the normal SLE kernel.

I think this would avoid the most cases of unnecessary key enrollment.

You are receiving this mail because: