ipe.rst - OpenGrok cross reference for /linux/Documentation/security/ipe.rst

Lines Matching full:ipe
3 Integrity Policy Enforcement (IPE) - Kernel Documentation
9    If you're looking for documentation on the usage of IPE, please see
10    :doc:`IPE admin guide </admin-guide/LSM/ipe>`.
15 The original issue that prompted IPE's implementation was the creation
30 over IMA+EVM as the *integrity mechanism* in the original use case of IPE
109 IPE, as its name implies, is fundamentally an integrity policy enforcement
110 solution; IPE does not mandate how integrity is provided, but instead
114 level of security guarantees; and IPE allows sysadmins to express policy for
117 IPE does not have an inherent mechanism to ensure integrity on its own.
122 Therefore, IPE was designed around:
130 IPE was designed after evaluating existing integrity policy solutions
141 IPE attempts to avoid all of these pitfalls.
149 IPE's policy is plain-text. This introduces slightly larger policy files than
178 The second issue with a binary format is one of transparency. As IPE controls
192 IPE, if configured appropriately, is able to enforce a policy as soon as a
231 make the compiled-in policy a full IPE policy, it allows system builders
241 This means IPE requires a policy that can be completely updated (allowing
261 trusted anymore. IPE's policy has no exception to this. There can be
266 acquires the insecure policy, IPE needs a way to prevent rollback
269 Initially, IPE's policy can have a policy_version that states the
353 Instead, IPE just emits the rule that was matched. This limits the scope
359 IPE's policy engine is also designed in a way that it makes it obvious to
370 Finally, IPE's policy is designed for sysadmins, not kernel developers. Instead
371 of covering individual LSM hooks (or syscalls), IPE covers operations. This means
376 maintainers of IPE, being kernel developers can make the correct choice to determine
385 Anonymous memory isn't treated any differently from any other access in IPE.
418 IPE has KUnit Tests for the policy parser. Recommended kunitconfig::
444 In addition, IPE has a python based integration
445 `test suite <https://github.com/microsoft/ipe/tree/test-suite>`_ that