What | Removed | Added |
---|---|---|
Flags | needinfo?(jlee@suse.com) |
For reference, kernel upstream's plan of .platform and .machine keyrings is here: keyrings, key usage, and trust models https://lore.kernel.org/all/20220928055900.GT4909@linux-l9pv.suse/t/#m3ce7e451f1855d9c432965bb896cb7ce0f89e009 And, a PDF slides. Those pictures may be useful: https://static.sched.com/hosted_files/lssna2022/18/LSS%202022%20trust%20and%20keyrings.pdf Newest patch set: [PATCH v5 0/6] Add CA enforcement keyring restrictions https://lore.kernel.org/lkml/20230302164652.83571-1-eric.snowberg@oracle.com/T/ Per my understood, "keys in UEFI db" only be trusted to verify booting/kexec. And MOKs also can be used to verify booting/kexec. CA MOKs can be used to verify keys for .ima keyring.