While integrating the check for kernel keyring, I think the CA check is still useful for kernel packages. Especially when rotating the Signkey, the keyring check doesn't avoid the new Signkey from being enrolled. I would like to make CA check in mokutil optional and only enforce the CA check when installing a kernel package. Since the built-in signkey is usually also the key to sign kernel itself, if the CA of the signkey is already in MOK or shim, it's safe to skip the enrollment of the signkey. For KMP, we only apply the kernel keyring check, not the CA check, so that PTF KMP can still enroll its key in the normal SLE kernel. I think this would avoid the most cases of unnecessary key enrollment.