ipe.rst - OpenGrok cross reference for /linux/Documentation/security/ipe.rst

Lines Matching +full:state +full:- +full:labels
1 .. SPDX-License-Identifier: GPL-2.0
3 Integrity Policy Enforcement (IPE) - Kernel Documentation
10    :doc:`IPE admin guide </admin-guide/LSM/ipe>`.
13 ---------------------
16 of a locked-down system. This system would be born-secure, and have
27   2. DM-Verity
29 Both options were carefully considered, however the choice to use DM-Verity
43       At the time, this was done with mandatory access control labels. An IMA
44       policy would indicate what labels required integrity verification, which
46       modify filesystem offline, the attacker could wipe all the xattrs -
47       including the SELinux labels that would be used to determine whether the
50       With DM-Verity, as the xattrs are saved as part of the Merkel tree, if
51       offline mount occurs against the filesystem protected by dm-verity, the
54     * As userspace binaries are paged in Linux, dm-verity also offers the
59       dm-verity will check the data when the page fault occurs (and the disk
64     * dm-verity provides integrity verification on demand as blocks are
73     * The signature supports an x.509-based signing infrastructure.
81   3. The policy enforcement must have a permissive-like mode.
87   7. The policy must be auditable, at any point-of-time.
107 --------------
128 -----------------
136   2. A single, non-customizable action was implicitly taken as a default.
138   4. Authoring a policy required an in-depth knowledge of the larger system,
149 IPE's policy is plain-text. This introduces slightly larger policy files than
162 back into the human-readable form with as much information preserved. This is because a
175 human-readable form to the data structure in kernel, saving on code maintenance,
186 plain-text policy, on the other hand, the signers see the actual policy
208 across its entire ecosystem - every bootloader would have to support this
231 make the compiled-in policy a full IPE policy, it allows system builders
240 always risk-free, and blocking a security update leaves systems vulnerable.
253 populated at kernel compile-time, as this matches the expectation that the
254 author of the compiled-in policy described above is the same entity that can
257 Anti-Rollback / Anti-Replay
333 and override the default with an empty rule, force the end-user
335 scenario and explicitly state it::
365 algorithm may not always be clear to the end-user without reading the code first.
380 --------------------
389 evaluate to false, as they are all file-based and the operation is not
401 The per-policy securityfs tree is somewhat unique. For example, for
405     |- active
406     |- delete
407     |- name
408     |- pkcs7
409     |- policy
410     |- update
411     |- version
413 The policy is stored in the ``->i_private`` data of the MyPolicy inode.
416 -----
445 `test suite <https://github.com/microsoft/ipe/tree/test-suite>`_ that