Re: [PATCH] Fix kexec forbidding kernels signed with custom platform keys to boot
From: Linus Torvalds
Date: Wed Aug 15 2018 - 16:47:44 EST
On Wed, Aug 15, 2018 at 12:49 PM Vivek Goyal <vgoyal@xxxxxxxxxx> wrote:
>
> I see that module signing code trusts only builtin keys and
> not the keys in secondary_trusted_keys keyring.
This, I think, makes sense.
It basically says: we don't allow modules that weren't built with the
kernel. Adding a new key later and signing a module with it violates
that premise.
Linus