(In reply to Michal Suchanek from comment #6) > On Leap we don't need the secondary keyring at all, we have a downstream > patch that loads the MOK keys into platform keyring, and verifies modules > with platform keyring. > On the other hand, as Michal mentioned, SLE/Leap applied downstream patch: patches.suse/KEYS-Make-use-of-platform-keyring-for-module-signatu.patch This patch allows modsign function mod_verify_sig() uses .platform keyring to verify kernel module. We didn't have this patch in openSUSE Tumbleweed yet. I have checked the following kernels from different distros, all of them are applied the same downstream patch: Ubuntu ubuntu-stable-kinetic no CONFIG_INTEGRITY_MACHINE_KEYRING CentOS Stream 9 kernel linux-5.14.0-214.el9.x86_64 no CONFIG_INTEGRITY_MACHINE_KEYRING Fedora 37 kernel-6.2.2-301.fc38.src.rpm CONFIG_INTEGRITY_MACHINE_KEYRING=y Fedora 37 has set CONFIG_INTEGRITY_MACHINE_KEYRING, but it still applied downstream patch to allow .platform keyring be used to verify kernel modules. We can also apply this patch to openSUSE Tumbleweed, but this patch may never be accepted by kernel upstream. Because in Eric Snowberg's "Add CA enforcement keyring restrictions" solution, only CA in MOK can be put to .secondary keyring. Other non-CA MOKs still can not be used to verify kernel module. User needs to use keyctl to add it to .secondary keyring after the CA MOK be added. If we don't apply downstream patch and choice waiting Eric's solution is accepted. Then the only solution is disabling secure boot currently.