d/config: enable IPE LSM (!1233) · Merge requests · Debian kernel team / linux

Luca Boccassi requested to merge bluca/linux:ipe into debian/latest Oct 10, 2024

IPE is a new LSM being introduced in 6.12. Like IMA, it works based on a policy file that has to be loaded at boot, and is inert otherwise. In a nutshell, it allows to enable code integrity on a system.

systemd v257 will have the ability to load a policy from /etc/ipe/ just like it does for IMA.

For more information on the details of IPE and how to write policies, see:

https://docs.kernel.org/security/ipe.html

Essentially it allows witing a policy that enforces code integrity rules on a system (every executable and library must be signed, for example by having the rootfs on dm-verity, or execution/loading is denied).

Extract from this doc:

IPE, as its name implies, is fundamentally an integrity policy enforcement solution; IPE does not mandate how integrity is provided, but instead leaves that decision to the system administrator to set the security bar, via the mechanisms that they select that suit their individual needs. There are several different integrity solutions that provide a different level of security guarantees; and IPE allows sysadmins to express policy for theoretically all of them.

IPE does not have an inherent mechanism to ensure integrity on its own. Instead, there are more effective layers available for building systems that can guarantee integrity. It’s important to note that the mechanism for proving integrity is independent of the policy for enforcing that integrity claim.

Edited Oct 23, 2024 by Luca Boccassi

d/config: enable IPE LSM

Merge request reports