README: note Kconfig for verifying DDIs via MoK keys

Also note them in the mkosi.build kernel config list
author: Luca Boccassi <bluca@debian.org> 2022-11-12 01:07:13 +0000
committer: Luca Boccassi <bluca@debian.org> 2022-11-14 11:09:36 +0000
commit: a460debc8ea366c0c706de3b71e2c6ff56988791 (patch)
tree: 8bb24cca0d333100679d6f8a1654af66fe5a5915
parent: 4445b3574fb2cce3f917f394011caa161e5f7294 (diff)
download: systemd-a460debc8ea366c0c706de3b71e2c6ff56988791.tar.gz
2 files changed, 9 insertions, 0 deletions
diff --git a/README b/README
index f6e92464c2..d8c279f9fa 100644
--- a/README
+++ b/README
@@ -128,6 +128,11 @@ REQUIREMENTS:
 
         Required for signed Verity images support:
           CONFIG_DM_VERITY_VERIFY_ROOTHASH_SIG
+        Required to verify signed Verity images using keys enrolled in the MoK
+        (Machine-Owner Key) keyring:
+          CONFIG_DM_VERITY_VERIFY_ROOTHASH_SIG_SECONDARY_KEYRING
+          CONFIG_IMA_ARCH_POLICY
+          CONFIG_INTEGRITY_MACHINE_KEYRING
 
         Required for RestrictFileSystems= in service units:
           CONFIG_BPF
diff --git a/mkosi.build b/mkosi.build
index cbf82811cf..70721a88a3 100755
--- a/mkosi.build
+++ b/mkosi.build
@@ -307,6 +307,10 @@ if [ -d mkosi.kernel/ ]; then
                 --enable MEMCG \
                 --enable MEMCG_SWAP \
                 --enable MEMCG_KMEM \
+                --enable IMA_ARCH_POLICY \
+                --enable DM_VERITY_VERIFY_ROOTHASH_SIG \
+                --enable DM_VERITY_VERIFY_ROOTHASH_SIG_SECONDARY_KEYRING \
+                --enable INTEGRITY_MACHINE_KEYRING \
                 --enable NETFILTER_ADVANCED \
                 --enable NF_CONNTRACK_MARK
author	Luca Boccassi <bluca@debian.org>	2022-11-12 01:07:13 +0000
committer	Luca Boccassi <bluca@debian.org>	2022-11-14 11:09:36 +0000
commit	a460debc8ea366c0c706de3b71e2c6ff56988791 (patch)
tree	8bb24cca0d333100679d6f8a1654af66fe5a5915
parent	4445b3574fb2cce3f917f394011caa161e5f7294 (diff)
download	systemd-a460debc8ea366c0c706de3b71e2c6ff56988791.tar.gz