Lines Matching +full:sha3 +full:- +full:224
1 .. SPDX-License-Identifier: GPL-2.0
9 attempting to use IPE. If you're looking for more developer-focused
13 --------
17 mechanisms that rely on labels and paths for decision-making, IPE focuses
34 a file's origin, such as dm-verity or fs-verity, which provide a layer of
36 that trust files from a dm-verity protected device. dm-verity ensures the
38 of its contents. Similarly, fs-verity offers filesystem-level integrity
40 fs-verity. These two features cannot be turned off once established, so
50 property. The latter includes checking the roothash of a dm-verity
51 protected device, determining whether dm-verity possesses a valid
52 signature, assessing the digest of a fs-verity protected file, or
53 determining whether fs-verity possesses a valid built-in signature. This
59 :menuselection:`Security -> Integrity Policy Enforcement (IPE)`) config
63 ---------
65 IPE works best in fixed-function devices: devices in which their purpose
70 IPE is a long-way off for use in general-purpose computing: the Linux
83 could be used to enable and support general-purpose computing use cases.
86 -----------------
101 ------------
103 IPE specifically targets the risk of tampering with user-space executable
125 - Actors with physical access to the hardware
126 - Actors with local network access to the system
127 - Actors with access to the deployment system
128 - Compromised internal systems under external control
129 - Malicious end users of the system
130 - Compromised end users of the system
131 - Remote (external) compromise of the system
135 developer tools used by them (i.e. return-oriented programming attacks).
137 kernelspace. As a result, kernel-level exploits are considered outside
141 ------
143 IPE policy is a plain-text [#devdoc]_ policy composed of multiple statements
174 Rules are evaluated top-to-bottom. As a result, any revocation rules,
183 or a per-operation level::
194 defaults on a per-operation basis (as above).
196 With configurable policy-based LSMs, there's several issues with
214 a path to a plain-text version of the IPE policy to apply. This policy
231 openssl smime -sign \
232 -in "$MY_POLICY" \
233 -signer "$MY_CERTIFICATE" \
234 -inkey "$MY_PRIVATE_KEY" \
235 -noattr \
236 -nodetach \
237 -nosmimecap \
238 -outform der \
239 -out "$MY_POLICY.p7b"
254 The ``pkcs7`` file is read-only. Reading it returns the raw PKCS#7 data
265 version greater or equal to the currently-running version.
268 in the kernel. This file is write-only and accepts a PKCS#7 signed
272 the currently-running version. This is to prevent rollback attacks.
275 This file is write-only and accepts a value of ``1`` to delete the policy.
337 …type=1420 audit(1653364370.067:61): ipe_op=EXECUTE ipe_hook=MMAP enforcing=1 pid=2241 comm="ld-lin…
338 …-13 a0=7f1105a28000 a1=195000 a2=5 a3=812 items=0 ppid=2219 pid=2241 auid=0 uid=0 gid=0 euid=0 sui…
342 …type=1300 audit(1653364735.161:64): SYSCALL arch=c000003e syscall=9 success=no exit=-13 a0=0 a1=10…
355 +-----------+------------+-----------+-------------------------------------------------------------…
359 +-----------+------------+-----------+-------------------------------------------------------------…
361 +-----------+------------+-----------+-------------------------------------------------------------…
363 +-----------+------------+-----------+-------------------------------------------------------------…
365 +-----------+------------+-----------+-------------------------------------------------------------…
367 +-----------+------------+-----------+-------------------------------------------------------------…
369 +-----------+------------+-----------+-------------------------------------------------------------…
371 +-----------+------------+-----------+-------------------------------------------------------------…
373 +-----------+------------+-----------+-------------------------------------------------------------…
375 +-----------+------------+-----------+-------------------------------------------------------------…
397 +------------------------+------------+-----------+------------------------------------------------…
401 +------------------------+------------+-----------+------------------------------------------------…
403 +------------------------+------------+-----------+------------------------------------------------…
405 +------------------------+------------+-----------+------------------------------------------------…
407 +------------------------+------------+-----------+------------------------------------------------…
409 +------------------------+------------+-----------+------------------------------------------------…
411 +------------------------+------------+-----------+------------------------------------------------…
413 +------------------------+------------+-----------+------------------------------------------------…
415 +------------------------+------------+-----------+------------------------------------------------…
417 +------------------------+------------+-----------+------------------------------------------------…
419 +------------------------+------------+-----------+------------------------------------------------…
436 +----------------+------------+-----------+---------------------------------------------------+
440 +----------------+------------+-----------+---------------------------------------------------+
442 +----------------+------------+-----------+---------------------------------------------------+
444 +----------------+------------+-----------+---------------------------------------------------+
446 +----------------+------------+-----------+---------------------------------------------------+
448 +----------------+------------+-----------+---------------------------------------------------+
450 +----------------+------------+-----------+---------------------------------------------------+
452 +----------------+------------+-----------+---------------------------------------------------+
460 …5): enforcing=0 old_enforcing=1 auid=4294967295 ses=4294967295 enabled=1 old-enabled=1 lsm=ipe res…
462 type=1327 audit(1653425689.008:55): proctitle="-bash"
464 …5): enforcing=1 old_enforcing=0 auid=4294967295 ses=4294967295 enabled=1 old-enabled=1 lsm=ipe res…
466 type=1327 audit(1653425689.008:55): proctitle="-bash"
472 +---------------+------------+-----------+---------------------------------------------------------…
476 +---------------+------------+-----------+---------------------------------------------------------…
478 +---------------+------------+-----------+---------------------------------------------------------…
480 +---------------+------------+-----------+---------------------------------------------------------…
482 +---------------+------------+-----------+---------------------------------------------------------…
484 +---------------+------------+-----------+---------------------------------------------------------…
485 | old-enabled | integer | No | The old TTY audit enabled setting …
486 +---------------+------------+-----------+---------------------------------------------------------…
488 +---------------+------------+-----------+---------------------------------------------------------…
490 +---------------+------------+-----------+---------------------------------------------------------…
511 ----------
514 policy. Two properties are built-into the policy parser: 'op' and 'action'.
548 Pertains to initrd images loading via ``kexec --initrd``.
552 Controls loading policies via reading a kernel-space initiated read.
604 specific dm-verity volumes, identified via their root hashes. It has a
614 + blake2b-512
615 + blake2s-256
619 + sha3-224
620 + sha3-256
621 + sha3-384
622 + sha3-512
629 This property can be utilized for authorization of all dm-verity
631 specified by dm-verity's configuration, either the system trusted
661 This property is used to authorize all fs-verity enabled files that have
662 been verified by fs-verity's built-in signature mechanism. The signature
663 verification relies on a key stored within the ".fs-verity" keyring. It
673 ---------------
693 Allow any signed and validated dm-verity volume and the initramfs
704 Prohibit execution from a specific dm-verity volume
717 Allow only a specific dm-verity volume
727 Allow any fs-verity file with a valid built-in signature
737 Allow execution of a specific fs-verity file
748 ----------------------
750 - `Github Repository <https://github.com/microsoft/ipe>`_
751 - :doc:`Developer and design docs for IPE </security/ipe>`
754 ---
758 trust-based access control?
771 trust in the initial super-block, whereas trust in IPE is stemmed from kernel
774 -----------
776 .. [#digest_cache_lsm] https://lore.kernel.org/lkml/20240415142436.2545003-1-roberto.sassu@huaweicl…
778 …st in solving this issue <https://lore.kernel.org/lkml/20220321161557.495388-1-[email protected]/>`_.
783 .. [#switch_root] https://man7.org/linux/man-pages/man8/switch_root.8.html