Atomic updates of r/o disk image with OS and apps, isolated from declarative config, e.g.
NixOS
Fedora Silverblue
openSuSE MicroOS
Enables measured boot of fixed-function appliances, limiting which applications are permitted to run.
> .. Integrity Policy Enforcement Linux Security Module (IPE LSM) being accepted for inclusion upstream during the 6.12 merge window. This new LSM lets image-based Linux deployments ship a code-integrity policy enforced by the kernel, so that only signed (and thus trusted) payloads can be executed at run time. Enabling this feature was always one of the goals of developing image-based Linux products, and a demo showing how this can work was given at ASG.
Are they talking about docker images? What's a hermetic usr? Not answered in the article.
Atomic updates of r/o disk image with OS and apps, isolated from declarative config, e.g.
Enables measured boot of fixed-function appliances, limiting which applications are permitted to run.> .. Integrity Policy Enforcement Linux Security Module (IPE LSM) being accepted for inclusion upstream during the 6.12 merge window. This new LSM lets image-based Linux deployments ship a code-integrity policy enforced by the kernel, so that only signed (and thus trusted) payloads can be executed at run time. Enabling this feature was always one of the goals of developing image-based Linux products, and a demo showing how this can work was given at ASG.
https://archive.is/kMdGw