[PATCH 0/8][j/k/l/m linux][j/k/l/m linux-kvm] CONFIG_DM_VERITY=m

[Tim Gardner]

BugLink: https://bugs.launchpad.net/bugs/2019040

SRU Justification

[Impact]

The kvm flavours currently do not enable dm-verity. This stops us from using
integrity protected and verified images in VMs using this kernel flavour.

All of the master kernels should also have CONFIG_DM_VERITY_VERIFY_ROOTHASH_SIG_SECONDARY_KEYRING enabled. These
config changes should bubble down into the cloud derivative kernels.

[Fix]

Please consider enabling the following kconfigs:

CONFIG_DM_VERITY
CONFIG_DM_VERITY_VERIFY_ROOTHASH_SIG
CONFIG_DM_VERITY_VERIFY_ROOTHASH_SIG_SECONDARY_KEYRING

(The latter is needed to ensure that MoK keys can be used to verify dm-verity images
too, via the machine keyring linked to the secondary keyring)

These are already enabled in the 'main' kernel config, and in other distros.

As a specific and explicit use case, in the systemd project we want to test
functionality provided by systemd that needs these kconfigs on Ubuntu machines running
the kvm flavour kernel.

Note that I explicitly did not enable CONFIG_IMA as requested in the bug report since
it has performance impacts.

[Regression Potential]

MOK keys may not be correctly read.