Module signing and post-quantum crypto public key algorithms

[David Howells]

Simo Sorce <simo at redhat.com> wrote:

> If a defect in a signing algorithm is found you can simply distribute a
> new kernel with modules resigned with a different algorithm.

Probably more "have to" than "can".  The cert providing the composite key for
both would have to be invalidated to stop it from being used - and invalidated
by having it added to the UEFI dbx table.

David