Developers of the Linux nucleus are currently discussing the implementation of a new mechanism called ipe (integrity policy enforcement) in the LSM (Linux Security Modules) module code. This mechanism aims to expand access control systems by making decisions based on the constant properties of the system component rather than specific marks or paths. The ipe module allows for the establishment of a general integrity policy for the entire system, determining which operations are permissible and how component authenticity should be verified.[source]
The ipe mechanism is designed to create fully verified systems, ensuring integrity from the bootloader and nucleus to executable files, configuration, and uploaded files. For instance, using ipe, administrators can specify which executable files are allowed to run based on cryptographic hashes provided by systems like DM-Verity. If unauthorized changes are detected in the system, ipe can block operations or log integrity violations.[source]
This new mechanism can be applied to firmware in embedded devices where all software and settings are provided by the owner. For example, Microsoft IPE is used in equipment for interactive screens. Unlike other integrity testing systems like IMA, ipe does not rely on metadata stored in the file system; instead, all operation permissions are stored directly in the nucleus.[source]
The rules governing the ipe mechanism are defined in text form using key-significance sets. The rules are applied based on the operation type (defined by the “OP” key) and the action to be taken (defined by the “Action” key). These rules are linked to properties provided by external subsystems like dm-verity and fs-verity.[source]
For instance, a rule may be set to allow the execution of a file only if it is boot_verified, while denying execution if it lacks the appropriate signature in DM-Verity. Such rules are integrated into the nucleus and can be added or modified as needed through the sys/kernel/security/ip/rules file. The transmitted rules are encrypted using a certificate stored in the System_trusted_keyring.