Comment 13 for bug 1903288

@Daniel
"In either case, however, the CA that signs the kernel signing key needs to be built in to the kernel's .builtin_trusted_keys keyring."

On Ubuntu, for OPAL singing, on PowerPC, we do not use CA at all. It is our understanding that firmware doesn't support verifying signature chains to a CA. Thus instead we use self-signed certificates for the kernel which have not been signed by a CA.

Thus we should simply include them all in trusted keyring, and there is no need to ship anything on disk or load anything from the userspace.

We have UEFI CA which is used for UEFI booting and embedded in the UEFI shim, but I do not believe it is appropriate to use that CA here, as the revocations are controlled by a KEK key which has no relationship with POWER firmware vendors.

@sforshee

Subject: CN = Canonical Ltd. Live Patch Signing
Subject: C = GB, ST = Isle of Man, L = Douglas, O = Canonical Ltd., OU = Secure Boot, CN = "Canonical Ltd. Secure Boot Signing (POWER, 2017)"
Subject: C = GB, ST = Isle of Man, L = Douglas, O = Canonical Ltd., CN = Canonical Ltd. Kernel Module Signing

This is all that's needed for now. However, we should start also shipping the next/future OPAL signing certificate that we have generated in 2019.

Please add the 2019 opal signing certificate as debian/opal-2019-ppc64el.pem Key ID: 6B:E5:A1:25:FC:48:97:91:02:2C:2B:FB:54:91:16:F6:07:16:EA:81

There are no CA to add, and no keys to load from userspace.