Hi Eric, On Tue, 2021-09-07 at 12:01 -0400, Eric Snowberg wrote: > diff --git a/certs/system_keyring.c b/certs/system_keyring.c > index 955bd57815f4..747f0c528fec 100644 > --- a/certs/system_keyring.c > +++ b/certs/system_keyring.c > @@ -89,7 +89,10 @@ static __init struct key_restriction *get_builtin_and_secondary_restriction(void > if (!restriction) > panic("Can't allocate secondary trusted keyring restriction\n"); > > - restriction->check = restrict_link_by_builtin_and_secondary_trusted; > + if (IS_ENABLED(CONFIG_INTEGRITY_MACHINE_KEYRING)) > + restriction->check = restrict_link_by_builtin_secondary_and_ca_trusted; Returning the new restriction in a function named get_builtin_and_secondary_restriction() is kind of weird. Renaming the function to get_secondary_restriction() would be clearer. thanks, Mimi