I've tried implementing ima+evm. Not hard to setup but very hard to maintain securely. It would require distros and package managers to support it but every distro is still stuck in the 90's with their anti-pki ideology. Imagine if every system managed binary was cryptographically authenticated? Like macos and windows (well, windows has holes as always).

Another issue is, IMA isn't used much so I am not confident about adequate security research/scrutiny having been performed to bypass/disable it.

yeah, it maybe makes more sense in the context of embedded machines: where your userspace is small enough, and where you already expect that most of your binaries arent going to change underneath your feet under normal circumstances

Or if you are deploying stuff at large shops with decent devops staffing, you can use ima as part if your OS build pipeline. Basically to make sure what you tested and published from dev is the only thing that can run in prod. But is it possible to code inject with ptrace or /proc/self/mem? If someone can run code, can they ROP using existing binaries only and disable IMA verification? One thing I might try would be to drop unsigned/unauthenticated versions of a distro install somewhere and chroot, if the OS allows chroot it that easy to bypass IMA? because you can mount --bind anything into the chroot environment. So is it a defense only if you are restricted as a non-root user?

doesn't have to be that fancy, you can run python (which is ima/evm signed) and run arbitrary stuff. ptrace shouldn't be allowed in prod, but yes you could memfd some code segment and exec into it... still python is easier...