Comment 0 for bug 1898716

[Impact]

 * Currently Canonical Livepatch service is signing kernel modules that are not trusted by the default Ubuntu kernels

 * to make Canonical Livepatch service out of the box compatible with SecureBoot, please add Canonical Livepatch service key as trusted in the kernel by default

 * if user wants to distrust the key, they can remove it via mokx, dbx, and we can revoke it by signing revocation with 'canonical master ca'.

[Test Case]

 * Boot kernel
 * Check the built-in keyring to ensure that Livepatch key is trusted by the built-in keyring

[Regression Potential]

 * Kernel keyring size will increase by one key. And thus kernel image will too.

[Other Info]

 * Current livepatch key fingerprints

mokutil uses der format

$ openssl x509 -inform der -in /snap/canonical-livepatch/current/keys/livepatch-kmod.x509 -noout -fingerprint -sha256
SHA256 Fingerprint=A4:1E:49:06:12:DD:38:56:F9:78:82:E3:66:66:9E:95:15:78:8E:65:68:50:35:46:0F:AC:59:72:4A:5B:92:FA

kernel use pem format

$ openssl x509 -inform pem -in debian/canonical-livepatch.pem -noout -fingerprint -sha256
SHA256 Fingerprint=A4:1E:49:06:12:DD:38:56:F9:78:82:E3:66:66:9E:95:15:78:8E:65:68:50:35:46:0F:AC:59:72:4A:5B:92:FA