| 摘要 |
The exemplary aspects of the invention can be performed by at least a method, apparatus and computer program. The exemplary aspects include receiving from a source a package including a binary file representing an application software and an associated resource declaration indicating resources required by the application software, extracting the resource declaration from the package, forming an intersection of the extracted resource declaration and a set of allowable resources, for the source of the package, obtained from a software sources ranking and resources usage policy, granting the application software resources based on the result of the formed intersection, installing the application software, and storing an indication of the granted resources in a resource possession list. Further, the aspects include calculating, at a device, a cryptographic hash of an executable, signing the cryptographic hash, and storing a resulting reference signed cryptographic hash in a protected storage, prior to executing the executable, calculating the cryptographic hash of the executable, and comparing a result to the reference cryptographic hash retrieved from the protected storage. In Additionally, there is verifying during a boot process, an integrity of an application kernel on a device, wherein verifying the integrity includes verifying an integrity of a boot read only memory of the device, based on a verified boot read only memory, verifying a loader integrity of the device, wherein the loader integrity verification indicates a signed software image for the application kernel is present, and wherein for the case that the loader integrity is not verified, determining if there is a policy in place to prevent access to the application kernel, and based on determining there is no policy in place, restricting a security functionality of the device, and booting the device with the restricted functionality. |
