On Wed, Aug 15, 2018 at 12:49 PM Vivek Goyal <vgo...@redhat.com> wrote: > > I see that module signing code trusts only builtin keys and > not the keys in secondary_trusted_keys keyring.
This, I think, makes sense. It basically says: we don't allow modules that weren't built with the kernel. Adding a new key later and signing a module with it violates that premise. Linus