README: note Kconfig for verifying DDIs via MoK keys

Also note them in the mkosi.build kernel config list

diff --git a/README b/README
index f6e92464c211d01feb1bef80ad0d51aabc07b0de..d8c279f9fa287d6a133b4df1aa23d808d24f9c79 100644 (file)
--- a/README
+++ b/README
@@ -128,6 +128,11 @@ REQUIREMENTS:
 
         Required for signed Verity images support:
           CONFIG_DM_VERITY_VERIFY_ROOTHASH_SIG
+        Required to verify signed Verity images using keys enrolled in the MoK
+        (Machine-Owner Key) keyring:
+          CONFIG_DM_VERITY_VERIFY_ROOTHASH_SIG_SECONDARY_KEYRING
+          CONFIG_IMA_ARCH_POLICY
+          CONFIG_INTEGRITY_MACHINE_KEYRING
 
         Required for RestrictFileSystems= in service units:
           CONFIG_BPF

diff --git a/mkosi.build b/mkosi.build
index cbf82811cf2be7a1cc5ae2d9cec26da2761fe67f..70721a88a30a22d2fa4fde535d41d2d83eb43dbf 100755 (executable)
--- a/mkosi.build
+++ b/mkosi.build
@@ -307,6 +307,10 @@ if [ -d mkosi.kernel/ ]; then
                 --enable MEMCG \
                 --enable MEMCG_SWAP \
                 --enable MEMCG_KMEM \
+                --enable IMA_ARCH_POLICY \
+                --enable DM_VERITY_VERIFY_ROOTHASH_SIG \
+                --enable DM_VERITY_VERIFY_ROOTHASH_SIG_SECONDARY_KEYRING \
+                --enable INTEGRITY_MACHINE_KEYRING \
                 --enable NETFILTER_ADVANCED \
                 --enable NF_CONNTRACK_MARK