Is your feature request related to a problem?

Modern Linux-based systems use the kernel keyrings (part of a broader kernel service) to determine what keys are trusted by the system.

Among other things, this allows the owner of a system and the owner of the OS image to both contribute keys to the trust store. Inability to use the kernel keyring means that any changes to the trust store need to be reflected in the policy, typically on disk.

What solution do you propose?

Externalize or extend the trust store to use certificates in the kernel keyring, possibly when instructed to do so via a trust policy or an environment variable.

What alternatives have you considered?

The alternative seems to be for a userspace process to walk over the kernel keyrings, perform export operations, reconstruct a trust policy and populate the trust store, which results in duplication, need to synchronize lifecycle events, and more userspace code which increases the attack surface.

For example, the AKV plugin calls for an az keyvault certificate show ... followed by a notation cert add. This is the specific step I'm suggesting we can get rid of by a trust policy potentially indicating it's acceptable for notation to use the kernel keyring as an extended trust store.

I read the documentation on plugins which appears to focus on extending signing mechanisms, not on externalizing trust stores.

Any additional context?

No response