From: Luca Boccassi <bluca@debian.org>
Date: Sat, 12 Nov 2022 01:07:13 +0000 (+0000)
Subject: README: note Kconfig for verifying DDIs via MoK keys
X-Git-Tag: v253-rc1~529^2
X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=refs%2Fpull%2F25361%2Fhead;p=thirdparty%2Fsystemd.git

README: note Kconfig for verifying DDIs via MoK keys

Also note them in the mkosi.build kernel config list
---

diff --git a/README b/README
index f6e92464c21..d8c279f9fa2 100644
--- a/README
+++ b/README
@@ -128,6 +128,11 @@ REQUIREMENTS:
 
         Required for signed Verity images support:
           CONFIG_DM_VERITY_VERIFY_ROOTHASH_SIG
+        Required to verify signed Verity images using keys enrolled in the MoK
+        (Machine-Owner Key) keyring:
+          CONFIG_DM_VERITY_VERIFY_ROOTHASH_SIG_SECONDARY_KEYRING
+          CONFIG_IMA_ARCH_POLICY
+          CONFIG_INTEGRITY_MACHINE_KEYRING
 
         Required for RestrictFileSystems= in service units:
           CONFIG_BPF
diff --git a/mkosi.build b/mkosi.build
index cbf82811cf2..70721a88a30 100755
--- a/mkosi.build
+++ b/mkosi.build
@@ -307,6 +307,10 @@ if [ -d mkosi.kernel/ ]; then
                 --enable MEMCG \
                 --enable MEMCG_SWAP \
                 --enable MEMCG_KMEM \
+                --enable IMA_ARCH_POLICY \
+                --enable DM_VERITY_VERIFY_ROOTHASH_SIG \
+                --enable DM_VERITY_VERIFY_ROOTHASH_SIG_SECONDARY_KEYRING \
+                --enable INTEGRITY_MACHINE_KEYRING \
                 --enable NETFILTER_ADVANCED \
                 --enable NF_CONNTRACK_MARK