Environment

• OS / version: CentosStream10
• Processor architecture: ppc64le
• TPM Manufacturer: swtpm
• Keylime version: 7.12.1

Description

I am seeing attestation failures because of memfd:kernel not being on the allowlist. I recall seeing this error on other architectures as well. I believe that given that it is not really doable to prepare an allowlist record for this resource in advance it should be added to the default excludelist.

Expected behavior vs. actual behavior

system attestation should not be failing because of memfd:kernel not being on the allowlist

Steps to reproduce problem

1. generate keylime policy and run the attestation (not reproducible on every system)

Relevant logs

out: Aug 01 04:06:48 rhel-9 keylime_verifier[5124]: 2025-08-01 04:06:48.481 - keylime.ima - WARNING - File not found in allowlist: memfd:kernel
                out: Aug 01 04:06:48 rhel-9 keylime_verifier[5124]: 2025-08-01 04:06:48.483 - keylime.ima - ERROR - IMA ERRORS: Some entries couldn't be validated. Number of failures in modes: ImaNg 1.