There does appear to be a complication for this change. keyctl can add trusted, but not read encrypted keys
# keyctl add encrypted evm-key "new trusted:kmk-trusted 32" @u
# keyctl pipe `keyctl search @u encrypted evm-key`
keyctl_read_alloc: Operation not supported
# keyctl search @u encrypted evm-key
58969095
If trusted is a module, and encrypted is builtin, encrypted cannot open a trusted key because the masterkey_trusted.o types are not exported out of the encrypted-keys namespace?
(mind you, I am not a kernel developer, and this c is ... waaaaay out of my league.)
In summary:
CONFIG_TRUSTED_KEYS=n && CONFIG_ENCRYPTED_KEYS=y == keyctl add trusted fails.
CONFIG_TRUSTED_KEYS=m && CONFIG_ENCRYPTED_KEYS=y == keyctl read encrypted from a trusted key fails.
In order to have both, both have to be modules (to export the types), or both have to be builtin (to use the shared type lookups?).
CONFIG_TRUSTED_KEYS=y
I built the kernel again with the change above and :
# uname -a
Linux debian 6.12.43 #28 SMP PREEMPT_DYNAMIC Tue Sep 9 12:57:21 EDT 2025 x86_64 GNU/Linux
# dmesg | grep -P '(trusted|encrypted)'
[ 1.779375] Initialise system trusted keyrings
[ 4.969001] Key type trusted registered
[ 5.001211] Key type encrypted registered
[ 24.235628] trusted_key: encrypted_key: master key parameter '' is invalid
# keyctl search @u trusted kmk-trusted
625450296
# keyctl add encrypted evm-key "new trusted:kmk-trusted 32" @u
234222391
# keyctl link @u @s
# keyctl pipe `keyctl search @u encrypted evm-key`
default trusted:kmk-trusted 32 <<REDACTED KEY MATERIAL>>
Success.
Given my original goal was to follow the instructions as provided, I change my request to reconfigure the kernel build to CONFIG_TRUSTED_KEYS=y to fix the keyctl for both trusted and encrypted types.