I've tried implementing ima+evm. Not hard to setup but very hard to maintain securely. It would require distros and package managers to support it but every distro is still stuck in the 90's with their anti-pki ideology. Imagine if every system managed binary was cryptographically authenticated? Like macos and windows (well, windows has holes as always).<p>Another issue is, IMA isn't used much so I am not confident about adequate security research/scrutiny having been performed to bypass/disable it.