Enabling a DKMS package does indeed allow root to sign arbitrary modules. This is part of the compromise of being able to use DKMS packages.
Since this works as intended, I am marking this bug as invalid.
If you have a requirement in your environment where you do not wish the root user to be able to sign arbitrary modules, you must not install DKMS packages and enroll the extra key.
Hi,
Enabling a DKMS package does indeed allow root to sign arbitrary modules. This is part of the compromise of being able to use DKMS packages.
Since this works as intended, I am marking this bug as invalid.
If you have a requirement in your environment where you do not wish the root user to be able to sign arbitrary modules, you must not install DKMS packages and enroll the extra key.