Secure boot certificates and Linux keyrings

Edit online

The Linux® kernel maintains lists of encryption and authentication keys in so-called kernel keyrings.

One such keyring is the platform keyring. On the Linux distributions listed in Supported environments, Linux automatically adds all secure boot certificates used by IBM Z® firmware during secure boot to the platform keyring.

To use the keyctl command, you require the keyutils package, available from: https://git.kernel.org/pub/scm/linux/kernel/git/dhowells/keyutils.git

Note: Secure boot certificates are not added to the platform keyring in the upstream kernel.
Use the following command to display the list of keys in the platform keyring:
# keyctl show %:.platform
Keyring
 104926345 ---lswrv      0     0  keyring: .platform
 629804537 ---lswrv      0     0   \_ asymmetric: SUSE Linux Enterprise Secure Boot Signkey: a746b64b6cb71f13385638055f46162bac632acd
 241500789 ---lswrv      0     0   \_ asymmetric: Canonical Ltd. Secure Boot Signing (ZIPL, 2019): 54d6f4e263d8c44592aca76962cf13795f0c30da
 889219187 ---lswrv      0     0   \_ asymmetric: Red Hat Secure Boot (signing key 2): 80d598d7d868efaaefb968534a99b3d7490da9e6
  90870925 ---lswrv      0     0   \_ asymmetric: Red Hat Secure Boot Signing 3 (beta): 65c5becae6596afd6c71c4a798c6258d7b6705d0