Comment 10 for bug 1903288

Sorry for the delayed response here, it's taken me a while to get some of the needed information.

In general this should be fine. One thing to note is that the key is self-signed, so we will need to add the signing key itself into .builtin_trusted_keys. This should still allow loading the key into the IMA keyring. It might not be necessary to do so, if IMA trusts keys in .builtin_trusted_keys for signing kexec kernels (I don't know if it does or not), but it seems to be that structuring this as though the CA and signing keys are separate keys is a good idea to ensure that this continues to work if the key setup ever changes in the future.

I'll work on getting some test packages put together in a PPA for testing. Let me know if you see any changes which need to be made as a result of the information I've provided.