Hi, We know that IMA or EVM signing key must be signed by the .builtin_trusted_keys. In the .builtin_trusted_keys keyring of a fresh CentOS, for example, there are public keys created by CentOS. And the private key counterparts were not available publicly. So I think there is technically no way for others to sign the IMA or EVM key by the private keys of those CA. Is there a possibility of getting the IMA or EVM signing keys signed (probably by the public key in .builtin_trusted_keys) without rolling own CA and re-gen the kernel? Thanks, Clay
