> I am wondering why did we have to split this keyring to begin with. > So there are use cases where we want to trust builtin keys but > not the ones which came from other places (UEFI secure boot db, or > user loaded one)? > "User loaded ones" should not be trusted in general to prevent rootkits and similar from modifying the kernel (even if they have root).
According to the patch which introduced the secondary keyring (the one you mentioned), the requirements for adding keys to the secondary keyring are as follows: "Add a secondary system keyring that can be added to by root whilst the system is running - provided the key being added is vouched for by a key built into the kernel or already added to the secondary keyring." I personally don't see a reason for this split, as the requirements for the secondary keyring are as strict as it can get. However, I'm new to this, so feel free to correct me. Yannik
