The Linux kernel's integrity subsystem verifies and enforces file integrity based on file signatures. Files are currently signed, post install, by walking the file system - a time consuming process. A better, more complete, solution is to include file signatures in software packages, similar to the existing file hashes. This enables files to be automatically labeled with signatures during installation.
This talk describes extending the UEFI secure boot certificate chain of trust to the OS to prevent unauthorized software/files from being executed or accessed. It will cover proposed software package manager changes for including and installing file signatures, locally signing certificates used for verifying file signatures, and loading the signed certificates onto the trusted IMA keyring.