Re: [PATCH] Fix kexec forbidding kernels signed with custom platform keys to boot

From: Linus Torvalds
Date: Wed Aug 15 2018 - 16:47:44 EST

On Wed, Aug 15, 2018 at 12:49 PM Vivek Goyal <vgoyal@xxxxxxxxxx> wrote:
> I see that module signing code trusts only builtin keys and
> not the keys in secondary_trusted_keys keyring.

This, I think, makes sense.

It basically says: we don't allow modules that weren't built with the
kernel. Adding a new key later and signing a module with it violates
that premise.