Comment 0 for bug 1932029

Upstream linux kernel now supports configuring built-in revoked certificates for the .blacklist keyring.

Add support in our kernel configuration to have built-in certificates.

Revoke UEFI amd64 & arm64 2012 signing certificate.

Under UEFI Secureboot with lockdown, shim may attempt to pass revoked certificates to the kernel and depending on how good EFI firmware is this may or may not succeed.

By having these built-in, it will be prohibited to kexec file_load older kernels that were signed with now revoked certificates.