this is all very annoying! But I see what you mean now. We probably should not add opal keys to the trusted_keyring then.
I would rather avoid introducing a new CA key whilst we cannot travel to assemble and distribute CA shards offline. I'd rather somehow enable platform_keyring or IMA keyring, and make kernel have ability to specifies keys listed there at build time and ship the OPAL key there. Cause the keys we use to sign kernel image & grub-image, are not the keys that are used to signed kernel modules, hence shouldn't be in the trusted kerying. Or we can end up with a userspace .service that exports trusted_keyrings and imports them into ima keyring on everyboot. But that would be sad as well. Let me find power machines to play around with this. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1903288 Title: Power guest secure boot with static keys: kernel portion To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu-power-systems/+bug/1903288/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
