On Mon, Nov 28, 2016 at 01:35:57PM -0700, Tim Gardner wrote: > +CONFIG_IMA_APPRAISE_SIGNED_INIT=y This one is a bit concerning, "This option requires user-space init to be signed." I _think_ appraisal only happens if enabled on the kernel command line, and in that case this should be fine.