Lines Matching +full:kernel +full:- +full:policy
1 .. SPDX-License-Identifier: GPL-2.0
3 Integrity Policy Enforcement (IPE)
9 attempting to use IPE. If you're looking for more developer-focused
13 --------
15 Integrity Policy Enforcement (IPE) is a Linux Security Module that takes a
17 mechanisms that rely on labels and paths for decision-making, IPE focuses
34 a file's origin, such as dm-verity or fs-verity, which provide a layer of
36 that trust files from a dm-verity protected device. dm-verity ensures the
38 of its contents. Similarly, fs-verity offers filesystem-level integrity
40 fs-verity. These two features cannot be turned off once established, so
45 For the IPE policy, specifically, it grants the ability to enforce
47 reference values defined within the policy. This assessment can be based on
50 property. The latter includes checking the roothash of a dm-verity
51 protected device, determining whether dm-verity possesses a valid
52 signature, assessing the digest of a fs-verity protected file, or
53 determining whether fs-verity possesses a valid built-in signature. This
54 nuanced approach to policy enforcement enables a highly secure and
59 :menuselection:`Security -> Integrity Policy Enforcement (IPE)`) config
63 ---------
65 IPE works best in fixed-function devices: devices in which their purpose
70 IPE is a long-way off for use in general-purpose computing: the Linux
83 could be used to enable and support general-purpose computing use cases.
86 -----------------
101 ------------
103 IPE specifically targets the risk of tampering with user-space executable
104 code after the kernel has initially booted, including the kernel modules
116 policy. If a binary does not pass this verification process, either
120 resulting from policy violation.
125 - Actors with physical access to the hardware
126 - Actors with local network access to the system
127 - Actors with access to the deployment system
128 - Compromised internal systems under external control
129 - Malicious end users of the system
130 - Compromised end users of the system
131 - Remote (external) compromise of the system
135 developer tools used by them (i.e. return-oriented programming attacks).
137 kernelspace. As a result, kernel-level exploits are considered outside
140 Policy chapter
141 ------
143 IPE policy is a plain-text [#devdoc]_ policy composed of multiple statements
145 policy, indicating the policy name, and the policy version, for
150 The policy name is a unique key identifying this policy in a human
155 The policy version indicates the current version of the policy (NOT the
156 policy syntax version). This is used to prevent rollback of policy to
157 potentially insecure previous versions of the policy.
159 The next portion of IPE policy are rules. Rules are formed by key=value
171 kernel that can provide a measure of integrity verification, such that IPE
174 Rules are evaluated top-to-bottom. As a result, any revocation rules,
178 IPE policy supports comments. The character '#' will function as a
181 The default behavior of IPE evaluations can also be expressed in policy,
183 or a per-operation level::
194 defaults on a per-operation basis (as above).
196 With configurable policy-based LSMs, there's several issues with
198 parsing the policy:
200 1. The kernel *should* not read files from userspace, so directly reading
201 the policy file is prohibited.
202 2. The kernel command line has a character limit, and one kernel module
205 3. There are various boot loaders in the kernel ecosystem, so handing
209 policy". A boot policy is a minimal policy which is compiled into the
210 kernel. This policy is intended to get the system to a state where
212 complex policy can be deployed via securityfs. The boot policy can be
214 a path to a plain-text version of the IPE policy to apply. This policy
215 will be compiled into the kernel. If not specified, IPE will be disabled
216 until a policy is deployed and activated through securityfs.
224 unconstrained root, and deploying an "allow all" policy). These
229 With openssl, the policy can be signed by::
231 openssl smime -sign \
232 -in "$MY_POLICY" \
233 -signer "$MY_CERTIFICATE" \
234 -inkey "$MY_PRIVATE_KEY" \
235 -noattr \
236 -nodetach \
237 -nosmimecap \
238 -outform der \
239 -out "$MY_POLICY.p7b"
242 ``new_policy`` node. To deploy a policy, simply cat the file into the
245 cat "$MY_POLICY.p7b" > /sys/kernel/security/ipe/new_policy
248 ``/sys/kernel/security/ipe/policies/``. The subdirectory will be the
249 ``policy_name`` field of the policy deployed, so for the example above,
250 the directory will be ``/sys/kernel/security/ipe/policies/Ex_Policy``.
251 Within this directory, there will be seven files: ``pkcs7``, ``policy``,
254 The ``pkcs7`` file is read-only. Reading it returns the raw PKCS#7 data
255 that was provided to the kernel, representing the policy. If the policy being
256 read is the boot policy, this will return ``ENOENT``, as it is not signed.
258 The ``policy`` file is read only. Reading it returns the PKCS#7 inner
259 content of the policy, which will be the plain text policy.
261 The ``active`` file is used to set a policy as the currently active policy.
262 This file is rw, and accepts a value of ``"1"`` to set the policy as active.
263 Since only a single policy can be active at one time, all other policies
264 will be marked inactive. The policy being marked active must have a policy
265 version greater or equal to the currently-running version.
267 The ``update`` file is used to update a policy that is already present
268 in the kernel. This file is write-only and accepts a PKCS#7 signed
269 policy. Two checks will always be performed on this policy: First, the
271 version. Second the updated policy must have a policy version greater than
272 the currently-running version. This is to prevent rollback attacks.
274 The ``delete`` file is used to remove a policy that is no longer needed.
275 This file is write-only and accepts a value of ``1`` to delete the policy.
276 On deletion, the securityfs node representing the policy will be removed.
277 However, delete the current active policy is not allowed and will return
281 bad message(policy syntax error) or file exists error. The latter error happens
282 when trying to deploy a policy with a ``policy_name`` while the kernel already
283 has a deployed policy with the same ``policy_name``.
285 Deploying a policy will *not* cause IPE to start enforcing the policy. IPE will
286 only enforce the policy marked active. Note that only one policy can be active
289 Once deployment is successful, the policy can be activated, by writing file
290 ``/sys/kernel/security/ipe/policies/$policy_name/active``.
293 echo 1 > "/sys/kernel/security/ipe/policies/Ex_Policy/active"
295 From above point on, ``Ex_Policy`` is now the enforced policy on the
300 ``/sys/kernel/security/ipe/policies/$policy_name/delete``.
301 Writing ``1`` to that file deletes the policy::
303 echo 1 > "/sys/kernel/security/ipe/policies/$policy_name/delete"
305 There is only one requirement to delete a policy: the policy being deleted
318 checked and policy violations are logged, but the policy is not really
321 The default mode is enforce, and can be changed via the kernel command
323 ``/sys/kernel/security/ipe/enforce``.
337 …type=1420 audit(1653364370.067:61): ipe_op=EXECUTE ipe_hook=MMAP enforcing=1 pid=2241 comm="ld-lin…
338 …-13 a0=7f1105a28000 a1=195000 a2=5 a3=812 items=0 ppid=2219 pid=2241 auid=0 uid=0 gid=0 euid=0 sui…
342 …type=1300 audit(1653364735.161:64): SYSCALL arch=c000003e syscall=9 success=no exit=-13 a0=0 a1=10…
355 +-----------+------------+-----------+-------------------------------------------------------------…
359 +-----------+------------+-----------+-------------------------------------------------------------…
361 +-----------+------------+-----------+-------------------------------------------------------------…
363 +-----------+------------+-----------+-------------------------------------------------------------…
365 +-----------+------------+-----------+-------------------------------------------------------------…
367 +-----------+------------+-----------+-------------------------------------------------------------…
369 +-----------+------------+-----------+-------------------------------------------------------------…
371 +-----------+------------+-----------+-------------------------------------------------------------…
373 +-----------+------------+-----------+-------------------------------------------------------------…
374 | rule | string | No | The matched policy rule …
375 +-----------+------------+-----------+-------------------------------------------------------------…
388 Note IPE can only have one policy active at a time, all access decision
389 evaluation is based on the current active policy.
390 The normal procedure to deploy a new policy is loading the policy to deploy
391 into the kernel first, then switch the active policy to it.
397 +------------------------+------------+-----------+------------------------------------------------…
400 | old_active_pol_name | string | Yes | The name of previous active policy …
401 +------------------------+------------+-----------+------------------------------------------------…
402 | old_active_pol_version | string | Yes | The version of previous active policy …
403 +------------------------+------------+-----------+------------------------------------------------…
404 | old_policy_digest | string | Yes | The hash of previous active policy …
405 +------------------------+------------+-----------+------------------------------------------------…
406 | new_active_pol_name | string | No | The name of current active policy …
407 +------------------------+------------+-----------+------------------------------------------------…
408 | new_active_pol_version | string | No | The version of current active policy …
409 +------------------------+------------+-----------+------------------------------------------------…
410 | new_policy_digest | string | No | The hash of current active policy …
411 +------------------------+------------+-----------+------------------------------------------------…
413 +------------------------+------------+-----------+------------------------------------------------…
415 +------------------------+------------+-----------+------------------------------------------------…
417 +------------------------+------------+-----------+------------------------------------------------…
419 +------------------------+------------+-----------+------------------------------------------------…
430 This record indicates a new policy has been loaded into the kernel with the policy name, policy ver…
436 +----------------+------------+-----------+---------------------------------------------------+
440 +----------------+------------+-----------+---------------------------------------------------+
442 +----------------+------------+-----------+---------------------------------------------------+
443 | policy_digest | string | No | The policy hash |
444 +----------------+------------+-----------+---------------------------------------------------+
446 +----------------+------------+-----------+---------------------------------------------------+
448 +----------------+------------+-----------+---------------------------------------------------+
450 +----------------+------------+-----------+---------------------------------------------------+
452 +----------------+------------+-----------+---------------------------------------------------+
460 …5): enforcing=0 old_enforcing=1 auid=4294967295 ses=4294967295 enabled=1 old-enabled=1 lsm=ipe res…
462 type=1327 audit(1653425689.008:55): proctitle="-bash"
464 …5): enforcing=1 old_enforcing=0 auid=4294967295 ses=4294967295 enabled=1 old-enabled=1 lsm=ipe res…
466 type=1327 audit(1653425689.008:55): proctitle="-bash"
472 +---------------+------------+-----------+---------------------------------------------------------…
476 +---------------+------------+-----------+---------------------------------------------------------…
478 +---------------+------------+-----------+---------------------------------------------------------…
480 +---------------+------------+-----------+---------------------------------------------------------…
482 +---------------+------------+-----------+---------------------------------------------------------…
484 +---------------+------------+-----------+---------------------------------------------------------…
485 | old-enabled | integer | No | The old TTY audit enabled setting …
486 +---------------+------------+-----------+---------------------------------------------------------…
488 +---------------+------------+-----------+---------------------------------------------------------…
490 +---------------+------------+-----------+---------------------------------------------------------…
497 policy and are not blocked will emit an audit event. This is disabled by
498 default, and can be enabled via the kernel command line
500 ``/sys/kernel/security/ipe/success_audit`` securityfs file.
511 ----------
514 policy. Two properties are built-into the policy parser: 'op' and 'action'.
540 Pertains to loading kernel modules via ``modprobe`` or ``insmod``.
544 Pertains to kernel images loading via ``kexec``.
548 Pertains to initrd images loading via ``kexec --initrd``.
550 ``POLICY``:
552 Controls loading policies via reading a kernel-space initiated read.
555 to the policy file to ``$securityfs/ima/policy``
595 rootfs takes over. It is advised to switch to a different policy
604 specific dm-verity volumes, identified via their root hashes. It has a
614 + blake2b-512
615 + blake2s-256
619 + sha3-224
620 + sha3-256
621 + sha3-384
622 + sha3-512
629 This property can be utilized for authorization of all dm-verity
631 specified by dm-verity's configuration, either the system trusted
661 This property is used to authorize all fs-verity enabled files that have
662 been verified by fs-verity's built-in signature mechanism. The signature
663 verification relies on a key stored within the ".fs-verity" keyring. It
672 Policy Examples
673 ---------------
693 Allow any signed and validated dm-verity volume and the initramfs
704 Prohibit execution from a specific dm-verity volume
717 Allow only a specific dm-verity volume
727 Allow any fs-verity file with a valid built-in signature
737 Allow execution of a specific fs-verity file
748 ----------------------
750 - `Github Repository <https://github.com/microsoft/ipe>`_
751 - :doc:`Developer and design docs for IPE </security/ipe>`
754 ---
758 trust-based access control?
766 the two is the policy. [#devdoc]_
769 kernel read operations, whereas IPE is capable of controlling execution
770 on top of kernel read. The trust model is also different; Loadpin roots its
771 trust in the initial super-block, whereas trust in IPE is stemmed from kernel
774 -----------
776 .. [#digest_cache_lsm] https://lore.kernel.org/lkml/20240415142436.2545003-1-roberto.sassu@huaweicl…
778 …e is `some interest in solving this issue <https://lore.kernel.org/lkml/20220321161557.495388-1-mi…
783 .. [#switch_root] https://man7.org/linux/man-pages/man8/switch_root.8.html
791 kernel's fsverity support; IPE does not impose any