README: note Kconfig for verifying DDIs via MoK keys

Also note them in the mkosi.build kernel config list
2026-03-06 15:02:31 -08:00 · 2022-11-12 01:07:13 +00:00
parent 4445b3574f
commit a460debc8e
2 changed files with 9 additions and 0 deletions
--- a/5
+++ b/5
@@ -128,6 +128,11 @@ REQUIREMENTS:

        Required for signed Verity images support:
          CONFIG_DM_VERITY_VERIFY_ROOTHASH_SIG
+        Required to verify signed Verity images using keys enrolled in the MoK
+        (Machine-Owner Key) keyring:
+          CONFIG_DM_VERITY_VERIFY_ROOTHASH_SIG_SECONDARY_KEYRING
+          CONFIG_IMA_ARCH_POLICY
+          CONFIG_INTEGRITY_MACHINE_KEYRING

        Required for RestrictFileSystems= in service units:
          CONFIG_BPF
--- a/mkosi.build
+++ b/mkosi.build
@@ -307,6 +307,10 @@ if [ -d mkosi.kernel/ ]; then
                --enable MEMCG \
                --enable MEMCG_SWAP \
                --enable MEMCG_KMEM \
+                --enable IMA_ARCH_POLICY \
+                --enable DM_VERITY_VERIFY_ROOTHASH_SIG \
+                --enable DM_VERITY_VERIFY_ROOTHASH_SIG_SECONDARY_KEYRING \
+                --enable INTEGRITY_MACHINE_KEYRING \
                --enable NETFILTER_ADVANCED \
                --enable NF_CONNTRACK_MARK