From a460debc8ea366c0c706de3b71e2c6ff56988791 Mon Sep 17 00:00:00 2001 From: Luca Boccassi Date: Sat, 12 Nov 2022 01:07:13 +0000 Subject: [PATCH] README: note Kconfig for verifying DDIs via MoK keys Also note them in the mkosi.build kernel config list --- README | 5 +++++ mkosi.build | 4 ++++ 2 files changed, 9 insertions(+) diff --git a/README b/README index f6e92464c21..d8c279f9fa2 100644 --- a/README +++ b/README @@ -128,6 +128,11 @@ REQUIREMENTS: Required for signed Verity images support: CONFIG_DM_VERITY_VERIFY_ROOTHASH_SIG + Required to verify signed Verity images using keys enrolled in the MoK + (Machine-Owner Key) keyring: + CONFIG_DM_VERITY_VERIFY_ROOTHASH_SIG_SECONDARY_KEYRING + CONFIG_IMA_ARCH_POLICY + CONFIG_INTEGRITY_MACHINE_KEYRING Required for RestrictFileSystems= in service units: CONFIG_BPF diff --git a/mkosi.build b/mkosi.build index cbf82811cf2..70721a88a30 100755 --- a/mkosi.build +++ b/mkosi.build @@ -307,6 +307,10 @@ if [ -d mkosi.kernel/ ]; then --enable MEMCG \ --enable MEMCG_SWAP \ --enable MEMCG_KMEM \ + --enable IMA_ARCH_POLICY \ + --enable DM_VERITY_VERIFY_ROOTHASH_SIG \ + --enable DM_VERITY_VERIFY_ROOTHASH_SIG_SECONDARY_KEYRING \ + --enable INTEGRITY_MACHINE_KEYRING \ --enable NETFILTER_ADVANCED \ --enable NF_CONNTRACK_MARK -- 2.47.3