Only CA keys without DigitialSignature usage set

configname: CONFIG_INTEGRITY_CA_MACHINE_KEYRING_MAX

Linux Kernel Configuration
└─>Security options
└─>Only CA keys without DigitialSignature usage set
In linux kernel since version 4.14.326 (release Date: 2023-09-23)  
When selected, only load CA keys are loaded into the machine
keyring that contain the CA bit set along with the keyCertSign
Usage field. Keys containing the digitialSignature Usage field
will not be loaded. The remaining MOK keys are loaded into the
.platform keyring.