On Sun, Sep 15, 2024 at 07:52:13PM +0200, Roberto Sassu wrote: Good morning, I hope the day is starting well for everyone. > On 9/15/2024 11:31 AM, Herbert Xu wrote: > >On Sun, Sep 15, 2024 at 05:15:25PM +0800, Herbert Xu wrote: > >> > >>Roberto, correct me if I'm wrong but your intended use case is > >>the following patch series, right? > > > >Actually the meat of the changes is in the following series: > > > >https://lore.kernel.org/linux-integrity/20240905150543.3766895-1-roberto.sassu@xxxxxxxxxxxxxxx/ > Yes, correct. The idea is to verify the authenticity of RPM headers, > extract the file digests from them, and use those file digests as > reference values for integrity checking of files accessed by user > space processes. > > If the calculated digest of a file being accessed matches one > extracted from the RPM header, access is granted otherwise it is > denied. Based on the above response and your comment: "The security policy I want to enforce is: all code that the system executes has been built by a trusted source (e.g. a Linux distribution)."
