Howell made a request for a patchset to be pulled into the mainline kernel last Thursday, writing, “It (the patchset) provides a facility by which keys can be added dynamically to a kernel that is running in secure-boot mode.
“To permit a key to be loaded under such a condition, we require that the new key be signed by a key that we already have (and trust) – where keys that we “already have” could include those embedded in the kernel, those in the UEFI database and those in cryptographic hardware.”