I don't think we trust the process name, so it might not matter. But this might open us up to a name changing while running

Only the kernel can edit a TBF header.

Not really though. If the flash is external it can be modified by a physical attacker. We don't check the signature again so we wouldn't catch a change in the process name

I don't understand why you are choosing to make this point. With this we get the same reference to the same memory address as before. Instead of two copies of that reference we now use one.

I just read your description and thought it was stored in RAM

I just read your description and thought it was stored in RAM

This has me confused. I think there are platforms where the header's stored in flash, and there are platforms where its stored in RAM. As a basic assumption, we should expect that the backing storage of a process, its header(s) and footer(s) is under exclusive control of the CPU and cannot be modified by an attacker -- that vector is way outside our threat model.

I think this is different for when loading processes from external flash. In that case, with this design, we ought to copy headers into private memory and re-verify after loading. If we don't, we break many other assumptions in the kernel too.