Comment # 21 on bug 1209006 from Joey Lee

For reference, kernel upstream's plan of .platform and .machine keyrings is
here:

keyrings, key usage, and trust models
https://lore.kernel.org/all/20220928055900.GT4909@linux-l9pv.suse/t/#m3ce7e451f1855d9c432965bb896cb7ce0f89e009

And, a PDF slides. Those pictures may be useful: 
https://static.sched.com/hosted_files/lssna2022/18/LSS%202022%20trust%20and%20keyrings.pdf

Newest patch set:
[PATCH v5 0/6] Add CA enforcement keyring restrictions
https://lore.kernel.org/lkml/20230302164652.83571-1-eric.snowberg@oracle.com/T/


Per my understood, "keys in UEFI db" only be trusted to verify booting/kexec.
And MOKs also can be used to verify booting/kexec. CA MOKs can be used to
verify keys for .ima keyring.