diff options
author | Luca Boccassi <bluca@debian.org> | 2022-11-12 01:07:13 +0000 |
---|---|---|
committer | Luca Boccassi <bluca@debian.org> | 2022-11-14 11:09:36 +0000 |
commit | a460debc8ea366c0c706de3b71e2c6ff56988791 (patch) | |
tree | 8bb24cca0d333100679d6f8a1654af66fe5a5915 | |
parent | 4445b3574fb2cce3f917f394011caa161e5f7294 (diff) | |
download | systemd-a460debc8ea366c0c706de3b71e2c6ff56988791.tar.gz |
README: note Kconfig for verifying DDIs via MoK keys
Also note them in the mkosi.build kernel config list
-rw-r--r-- | README | 5 | ||||
-rwxr-xr-x | mkosi.build | 4 |
2 files changed, 9 insertions, 0 deletions
@@ -128,6 +128,11 @@ REQUIREMENTS: Required for signed Verity images support: CONFIG_DM_VERITY_VERIFY_ROOTHASH_SIG + Required to verify signed Verity images using keys enrolled in the MoK + (Machine-Owner Key) keyring: + CONFIG_DM_VERITY_VERIFY_ROOTHASH_SIG_SECONDARY_KEYRING + CONFIG_IMA_ARCH_POLICY + CONFIG_INTEGRITY_MACHINE_KEYRING Required for RestrictFileSystems= in service units: CONFIG_BPF diff --git a/mkosi.build b/mkosi.build index cbf82811cf..70721a88a3 100755 --- a/mkosi.build +++ b/mkosi.build @@ -307,6 +307,10 @@ if [ -d mkosi.kernel/ ]; then --enable MEMCG \ --enable MEMCG_SWAP \ --enable MEMCG_KMEM \ + --enable IMA_ARCH_POLICY \ + --enable DM_VERITY_VERIFY_ROOTHASH_SIG \ + --enable DM_VERITY_VERIFY_ROOTHASH_SIG_SECONDARY_KEYRING \ + --enable INTEGRITY_MACHINE_KEYRING \ --enable NETFILTER_ADVANCED \ --enable NF_CONNTRACK_MARK |