platform owner should be able to store root certificate on target system
he should be able to change root certificate
a person with just root access should not be able to change root certificate
Research possibility to use TPM or UEFI Authenticated Variables.
Storing root cert in kernel image seems to be the only secure option for platforms without secure storage and thus should be supported at least as a backup strategy.
Research possibility to use TPM or UEFI Authenticated Variables.
Storing root cert in kernel image seems to be the only secure option for platforms without secure storage and thus should be supported at least as a backup strategy.