Hi Eric, On Tue, 2021-11-23 at 23:41 -0500, Eric Snowberg wrote: > +config INTEGRITY_MACHINE_KEYRING > + bool "Provide a keyring to which CA Machine Owner Keys may be added" > + depends on SECONDARY_TRUSTED_KEYRING > + depends on INTEGRITY_ASYMMETRIC_KEYS Shouldn't this be "ASYMMETRIC_PUBLIC_KEY_SUBTYPE=y"? With this change, is "KEYS: Create static version of public_key_verify_signature" trusted needed? Mimi > + depends on SYSTEM_BLACKLIST_KEYRING > + depends on LOAD_UEFI_KEYS > + help > + If set, provide a keyring to which CA Machine Owner Keys (MOK) may > + be added. This keyring shall contain just CA MOK keys. Unlike keys > + in the platform keyring, keys contained in the .machine keyring will > + be trusted within the kernel. > +
