Hello everyone I have done some work in the integrity subsystem, called Digest Lists Integrity Module (DIGLIM). It simplifies the effort necessary to do IMA appraisal, by reusing the digests included in the header of existing RPM packages as reference values. It wouldn't require any change in the building infrastructure. It also provides an alternative way of attesting systems, by keeping the TPM PCR extended with software measurements, stable and predictable. The main benefit is the ability to seal a TPM key to the desired software configuration, so that a TLS secure communication can be established when only software from installed RPMs is executed. It would be possible to integrate this solution in Keylime. I have proposed this feature for upstream inclusion: https://lore.kernel.org/linux-integrity/20210914163401.864635-1-roberto.sassu@xxxxxxxxxx/ I also rebuilt the Fedora kernel in copr, with DIGLIM: https://copr.fedorainfracloud.org/coprs/robertosassu/DIGLIM/ You can find the instructions about how to use it here: https://lore.kernel.org/linux-integrity/48cd737c504d45208377daa27d625531@xxxxxxxxxx/ I would like to join one of your subgroups, for example fedora-contributor, so that I can propose a new feature for Fedora 36/37. Thanks Roberto HUAWEI TECHNOLOGIES Duesseldorf GmbH, HRB 56063 Managing Director: Li Peng, Zhong Ronghua _______________________________________________ devel mailing list -- devel@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe send an email to devel-leave@xxxxxxxxxxxxxxxxxxxxxxx Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/devel@xxxxxxxxxxxxxxxxxxxxxxx Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
