Comment 4 for bug 1928679

Verifying using hirsute:

# uname -r
5.11.0-1014-kvm

# grep CODENAME /etc/os-release
VERSION_CODENAME=hirsute
UBUNTU_CODENAME=hirsute

# keyctl list %:.blacklist
Can't find 'keyring:.blacklist'

Upgraded kernel:

# uname -r
5.11.0-1015-kvm

# keyctl list %:.blacklist
1 key in keyring:
330780907: ---lswrv 0 0 asymmetric: Canonical Ltd. Secure Boot Signing: 61482aa2830d0ab2ad5af10b7250da9033ddcef0

In dmesg:
[ 0.375674] blacklist: Loading compiled-in revocation X.509 certificates
[ 0.376015] Loaded X.509 cert 'Canonical Ltd. Secure Boot Signing: 61482aa2830d0ab2ad5af10b7250da9033ddcef0'

No other blacklist hashes got imported, cause they do not appear in mokvar table nor in MokListRT mirror variable, nor does kvm kernel appear to have platform keyring... which is very odd.... cause UEFI db keys for Microsoft Production PCA 2011 and UEFI CA 2011 are missing.

It seems to me that kvm kernel is a bit broken, and doesn't have support for mokvar or .platform keyring, which is very bad.