> I'd also consider to enable non-default CONFIG_EVM_ATTR_FSUUID. Actually CONFIG_EVM_ATTR_FSUUID is enabled by default. But I'd consider enabling also CONFIG_ENCRYPTED_KEYS as it's enabled for Ubuntu [1]
Thanks! Kind regards, Petr [1] https://patchwork.ozlabs.org/project/ubuntu-kernel/patch/1403911081-32056-6-git-send-email-tyhi...@canonical.com/