1. Proposed title of this feature request

Enable IMA attestation in RHCOS

2. What is the nature and description of the request?

RHEL 9.4 already ships RPMs with embedded IMA signatures, as well as the CA certificate that enables verification and attestation of file contents against those IMA signatures at runtime. This request is to bring those RHEL features into RHCOS.

3. Why does the customer need this? (List the business requirements here)

• For Keylime, presence of the IMA signatures enables appraisal and remote attestation of the RHEL signatures of all RHEL-provided software.
• For edge appliances, including Single Node Openshift, presence of the IMA signatures and ima-evm-utils allows installation of IMA policies that can enforce runtime integrity of RHEL software at the edge.

4. List any affected packages or components.

• RHCOS build would need to enable IMA signatures for all installed RPMs (See https://github.com/openshift/os/pull/1415)
• RHCOS build should include the ima-evm-utils RHEL package
• RHCOS initrd should include the 98-integrity dracut script to install IMA keys and policies at boot