Only CA keys without DigitialSignature usage set
configname: CONFIG_INTEGRITY_CA_MACHINE_KEYRING_MAX
Linux Kernel Configuration
└─>Security options
└─>Only CA keys without DigitialSignature usage set
In linux kernel since version 4.14.326 (release Date: 2023-09-23)
When selected, only load CA keys are loaded into the machine
keyring that contain the CA bit set along with the keyCertSign
Usage field. Keys containing the digitialSignature Usage field
will not be loaded. The remaining MOK keys are loaded into the
.platform keyring.
keyring that contain the CA bit set along with the keyCertSign
Usage field. Keys containing the digitialSignature Usage field
will not be loaded. The remaining MOK keys are loaded into the
.platform keyring.