Comment 19 for bug 1798863

I can clarify what's happening in the kernel. There are two bugs, and one is masking the other.

The first bug is that we don't use the secondary keyring for verifying module signatures. The secondary keyring is where the MOK ends.

The second bug is that we aren't enforcing that modules must be signed when under lockdown. So even though signature verification fails due to the first bug the module is still allowed to load.

I have patches for both bugs.