Mimi Zohar <zo...@linux.vnet.ibm.com> wrote: > > > > This allows keys in the UEFI database to be added in secure boot mode > > > > for the purposes of module signing. > > > > > > The key import should not be automatic, it should be optional. > > > > You can argue this either way. There's a config option to allow you to > > turn this on or off. Arguably, this should be split in two: one for the > > whitelist (db, MokListRT) and one for the blacklist (dbx). > > By "config", you're not referring to a Kconfig option, but a UEFI db > option, making it hidden/unknown to someone building a kernel. If you > really want to add this support, make it clear and easily seen by > defining a "restrict_link_by_builtin_or_uefi" function.
No: by "config" I *am* referring to Kconfig. David
