kernel/common-config: enable fs-verity and IPE LSM

Enable filesystem integrity verification features:

- FS_VERITY: Per-file Merkle tree integrity verification. Files with
  fs-verity enabled become immutable and are verified block-by-block
  on read. Zero overhead when not used. Already enabled by default
  in Fedora, Ubuntu, and Arch.

- FS_VERITY_BUILTIN_SIGNATURES: Allow verifying fs-verity signatures
  against keys in the kernel keyring.

- SECURITY_IPE: Integrity Policy Enforcement LSM (merged in 6.12).
  Allows enforcing policies based on file integrity properties like
  fs-verity measurements or dm-verity. Useful for verified boot and
  ensuring only integrity-verified files can be executed.

- IPE_PROP_FS_VERITY: Allow IPE to use fs-verity as a trust source.

- IPE_PROP_FS_VERITY_BUILTIN_SIG: Allow IPE to require signed fs-verity.

These features have no runtime impact unless explicitly used, but enable
important security use cases like immutable package stores (NixOS /nix/store)
and verified boot configurations.

0 files changed, 0 insertions, 0 deletions