The .machine kernel keyring is introduced in UEK R7. You can use this keyring as a kernel level trust anchor for any operation that uses asymmetrical keys. The .machine keyring has the same level of trust within the kernel as the .builtin_trusted_keys and the .secondary_trusted_keys keyrings. Similar to the built-in and secondary keyrings, you can use keys in the .machine keyring to do the following:

• Perform kernel module signature validation.

• Add additional keys to the .secondary_trusted_keys keyring.

• Serve as a CA for IMA appraisal keys.

Note that keys contained within the .machine keyring must be a root CA certificate. To qualify as a root CA certificate, the following two requirements must be met:

• The X.509 certificate shall be self-signed.

• The X.509 certificate shall contain X509v3 extensions with basicConstraints=critical,CA:TRUE

It is also highly advised the keyUsage field is set with keyCertSign.

Unlike previous UEK releases, keys contained within the .platform keyring in UEK R7 may only be used for kexec. Also, you may not use the .platform keys for any other purpose; whereas, in previous UEK releases, you could use the .platform keyring for kernel module signature validation, but they could not be used for any other kernel key operations.

The easiest way to add keys to the .machine keyring is by enrolling them with the mokutil utility. Note that this method requires that you first create an X.509 key pair.

Unbreakable Enterprise Kernel Release 7 enables Intel Software Guard Extensions (SGX) technology on the third-generation Intel Xeon Scalable processor (codename Ice Lake).

Applications can use this hardware functionality to populate protected regions of user code and data, called enclaves. When activated, the new hardware protects enclave code and data from outside access and modification. Enclaves provide a place to store secrets and then process data with those secrets, such as DRM software. SGX assists in providing protection against many known cybersecurity threats, thereby reducing the attack surface of servers through the use of secure enclaves, which protect information from processes running at a higher privilege.