ipe.rst - OpenGrok cross reference for /linux/Documentation/security/ipe.rst

Lines Matching +full:non +full:- +full:updatable
1 .. SPDX-License-Identifier: GPL-2.0
3 Integrity Policy Enforcement (IPE) - Kernel Documentation
10    :doc:`IPE admin guide </admin-guide/LSM/ipe>`.
13 ---------------------
16 of a locked-down system. This system would be born-secure, and have
27   2. DM-Verity
29 Both options were carefully considered, however the choice to use DM-Verity
46       modify filesystem offline, the attacker could wipe all the xattrs -
50       With DM-Verity, as the xattrs are saved as part of the Merkel tree, if
51       offline mount occurs against the filesystem protected by dm-verity, the
54     * As userspace binaries are paged in Linux, dm-verity also offers the
59       dm-verity will check the data when the page fault occurs (and the disk
64     * dm-verity provides integrity verification on demand as blocks are
73     * The signature supports an x.509-based signing infrastructure.
81   3. The policy enforcement must have a permissive-like mode.
87   7. The policy must be auditable, at any point-of-time.
107 --------------
128 -----------------
136   2. A single, non-customizable action was implicitly taken as a default.
138   4. Authoring a policy required an in-depth knowledge of the larger system,
149 IPE's policy is plain-text. This introduces slightly larger policy files than
162 back into the human-readable form with as much information preserved. This is because a
175 human-readable form to the data structure in kernel, saving on code maintenance,
186 plain-text policy, on the other hand, the signers see the actual policy
208 across its entire ecosystem - every bootloader would have to support this
231 make the compiled-in policy a full IPE policy, it allows system builders
234 Updatable, Rebootless Policy
240 always risk-free, and blocking a security update leaves systems vulnerable.
253 populated at kernel compile-time, as this matches the expectation that the
254 author of the compiled-in policy described above is the same entity that can
257 Anti-Rollback / Anti-Replay
333 and override the default with an empty rule, force the end-user
365 algorithm may not always be clear to the end-user without reading the code first.
380 --------------------
389 evaluate to false, as they are all file-based and the operation is not
401 The per-policy securityfs tree is somewhat unique. For example, for
405     |- active
406     |- delete
407     |- name
408     |- pkcs7
409     |- policy
410     |- update
411     |- version
413 The policy is stored in the ``->i_private`` data of the MyPolicy inode.
416 -----
445 `test suite <https://github.com/microsoft/ipe/tree/test-suite>`_ that