To ensure the integrity of executables, libraries, scripts, and kernel extensions, the target state must be known. To detect changes to permissions, ownership, and content, at least this information must be stored in a secure location. For Trusted Execution (TE), this is done using the Trusted Signature Database, or TSD for short. It can be stored either locally on the AIX system (/etc/security/tsd/tsd.dat) or alternatively on an LDAP server.

Entries in the TSD contain the following file attributes:

owner - The name of the file owner (no UID)
group - The name of the group owner of the file (no GID)
type - The file type: regular file, directory, FIFO, device file
mode - The access rights of the file
size - The size of the file in bytes

To detect changes in the content of a file, the following additional attributes are used:

hash_value - cryptographic hash of the file contents
signature - digital signature of the file (calculated with RSA)
cert_tag - The ID of the digital certificate used to determine the signature

There are a number of other attributes that will be discussed later.

If there is an entry in the TSD for an executable, a shared library, a script, or a kernel extension, then the executable (shared library, script, kernel extension) is considered trusted. Conversely, if there is no entry in the TSD, then the executable (shared library, script, kernel extension) is considered untrusted.

Each executable (shared library, script, kernel extension) is either trusted or untrusted, depending on whether or not there is a corresponding entry in the TSD. For trusted objects, the integrity of the object can be verified using the TSD. For untrusted objects, verification is not possible.