Comment 14 for bug 1939565

Hi Steve Langasek,
If an attacker is able to sign a custom kernel module & compromise a system via that means is there a reason to restrict the rather easy to use `update-secureboot-policy --new-key` method to only kernel modules? (Can we modify it to allow signing kernels in addition to kernel modules?)