Mimi Zohar <zo...@linux.vnet.ibm.com> wrote: > Would then restrict_link_to_system_trusted imply both the builtin and > secondary keyrings or just the builtin keyrings?
Both, if available; just builtin if the secondary is not available. restrict_link_by_builtin_trusted() does only the builtin. > Changing the system keyring name to builtin keys, without changing the > corresponding restrict_link name, obfuscates what is really happening. You can still look at the code, it's not as if it's particularly hidden. The problem boils down to a difficulty in concocting a name that describes a complex situation that may change depending on the configuration. I can make it "restrict_link_by_any_system_trusted" if you'd prefer. That's why I want "system trusted keyrings" to refer to the builtin and the secondary - *and* an extra UEFI keyring if we grow one of those. It's a collection of related keyrings. David