1 .. SPDX-License-Identifier: GPL-2.0
2
3 Integrity Policy Enforcement (IPE) - Kernel Do
4 ==============================================
5
6 .. NOTE::
7
8 This is documentation targeted at developer
9 If you're looking for documentation on the
10 :doc:`IPE admin guide </admin-guide/LSM/ipe
11
12 Historical Motivation
13 ---------------------
14
15 The original issue that prompted IPE's impleme
16 of a locked-down system. This system would be
17 strong integrity guarantees over both the exec
18 *data files* on the system, that were critical
19 specific data files would not be readable unle
20 policy. A mandatory access control system woul
21 as a result, xattrs would have to be protected
22 of what would provide the integrity claims. At
23 main mechanisms considered that could guarante
24 with these requirements:
25
26 1. IMA + EVM Signatures
27 2. DM-Verity
28
29 Both options were carefully considered, howeve
30 over IMA+EVM as the *integrity mechanism* in t
31 was due to three main reasons:
32
33 1. Protection of additional attack vectors:
34
35 * With IMA+EVM, without an encryption solu
36 to offline attack against the aforementi
37
38 Unlike executables, read operations (lik
39 files), cannot be enforced to be globall
40 there must be some form of selector to d
41 enforce the integrity policy, or it shou
42
43 At the time, this was done with mandator
44 policy would indicate what labels requir
45 presented an issue: EVM would protect th
46 modify filesystem offline, the attacker
47 including the SELinux labels that would
48 file should be subject to integrity poli
49
50 With DM-Verity, as the xattrs are saved
51 offline mount occurs against the filesys
52 checksum no longer matches and the file
53
54 * As userspace binaries are paged in Linux
55 additional protection against a hostile
56 the block device reports the appropriate
57 initially, passing the required integrit
58 that accesses the real data, will report
59 dm-verity will check the data when the p
60 access), this attack is mitigated.
61
62 2. Performance:
63
64 * dm-verity provides integrity verificatio
65 read versus requiring the entire file be
66 validation.
67
68 3. Simplicity of signing:
69
70 * No need for two signatures (IMA, then EV
71 an entire block device.
72 * Signatures can be stored externally to t
73 * The signature supports an x.509-based si
74
75 The next step was to choose a *policy* to enfo
76 The minimum requirements for the policy were:
77
78 1. The policy itself must be integrity verif
79 attack against it).
80 2. The policy itself must be resistant to ro
81 3. The policy enforcement must have a permis
82 4. The policy must be able to be updated, in
83 a reboot.
84 5. Policy updates must be atomic.
85 6. The policy must support *revocations* of
86 components.
87 7. The policy must be auditable, at any poin
88
89 IMA, as the only integrity policy mechanism at
90 considered against these list of requirements,
91 all of the minimum requirements. Extending IMA
92 requirements was considered, but ultimately di
93 two reasons:
94
95 1. Regression risk; many of these changes wo
96 dramatic code changes to IMA, which is al
97 kernel, and therefore might impact users.
98
99 2. IMA was used in the system for measuremen
100 separation of measurement policy from loc
101 enforcement was considered favorable.
102
103 Due to these reasons, it was decided that a ne
104 whose responsibility would be only the local i
105
106 Role and Scope
107 --------------
108
109 IPE, as its name implies, is fundamentally an
110 solution; IPE does not mandate how integrity i
111 leaves that decision to the system administrat
112 via the mechanisms that they select that suit
113 There are several different integrity solution
114 level of security guarantees; and IPE allows s
115 theoretically all of them.
116
117 IPE does not have an inherent mechanism to ens
118 Instead, there are more effective layers avail
119 can guarantee integrity. It's important to not
120 integrity is independent of the policy for enf
121
122 Therefore, IPE was designed around:
123
124 1. Easy integrations with integrity provider
125 2. Ease of use for platform administrators/s
126
127 Design Rationale:
128 -----------------
129
130 IPE was designed after evaluating existing int
131 in other operating systems and environments. I
132 implementations, there were a few pitfalls ide
133
134 1. Policies were not readable by humans, usu
135 intermediary format.
136 2. A single, non-customizable action was imp
137 3. Debugging the policy required manual step
138 4. Authoring a policy required an in-depth k
139 or operating system.
140
141 IPE attempts to avoid all of these pitfalls.
142
143 Policy
144 ~~~~~~
145
146 Plain Text
147 ^^^^^^^^^^
148
149 IPE's policy is plain-text. This introduces sl
150 other LSMs, but solves two major problems that
151 solutions on other platforms.
152
153 The first issue is one of code maintenance and
154 the policy has to be some form of string repre
155 through XML, JSON, YAML, etcetera), to allow t
156 what is being written. In a hypothetical binar
157 is necessary to write the policy from the huma
158 form, and a deserializer is needed to interpre
159 structure in the kernel.
160
161 Eventually, another deserializer will be neede
162 back into the human-readable form with as much
163 user of this access control system will have t
164 and the original file itself to try to underst
165 on this system and what policies have not. For
166 as old policies can be discarded almost immedi
167 For users that manage computer fleets in the t
168 with multiple different operating systems, and
169 this quickly becomes an issue, as stale polici
170 quickly resulting in the need to recover the p
171 to track what each policy contains.
172
173 With now three separate serializer/deserialize
174 policy avoids the binary format, there is only
175 human-readable form to the data structure in k
176 and retaining operability.
177
178 The second issue with a binary format is one o
179 access based on the trust of the system's reso
180 trusted to be changed. This is done through si
181 signing as a process. Signing, as a process, i
182 high security bar, as anything signed can be u
183 enforcement systems. It is also important that
184 the signer is aware of what they are signing.
185 obfuscation of that fact; what signers see is
186 plain-text policy, on the other hand, the sign
187 submitted for signing.
188
189 Boot Policy
190 ~~~~~~~~~~~
191
192 IPE, if configured appropriately, is able to e
193 kernel is booted and usermode starts. That imp
194 of the policy to apply the minute usermode sta
195 can be handled in one of three ways:
196
197 1. The policy file(s) live on disk and the k
198 to an code path that would result in an e
199 2. The policy file(s) are passed by the boot
200 parses the policy.
201 3. There is a policy file that is compiled i
202 parsed and enforced on initialization.
203
204 The first option has problems: the kernel read
205 is typically discouraged and very uncommon in
206
207 The second option also has problems: Linux sup
208 across its entire ecosystem - every bootloader
209 new methodology or there must be an independen
210 result in more drastic changes to the kernel s
211
212 The third option is the best but it's importan
213 will take disk space against the kernel it's c
214 keep this policy generalized enough that users
215 complicated policy, but restrictive enough tha
216 and cause security issues.
217
218 The initramfs provides a way that this bootup
219 kernel starts with a minimal policy, that trus
220 the initramfs, when the real rootfs is mounted
221 it deploys and activates a policy that trusts
222 This prevents overauthorization at any step, a
223 to a minimal size.
224
225 Startup
226 ^^^^^^^
227
228 Not every system, however starts with an initr
229 compiled into the kernel will need some flexib
230 is established for the next phase of the bootu
231 make the compiled-in policy a full IPE policy,
232 to express the first stage bootup requirements
233
234 Updatable, Rebootless Policy
235 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~
236
237 As requirements change over time (vulnerabilit
238 trusted applications, keys roll, etcetera). Up
239 meet those security goals is not always a suit
240 always risk-free, and blocking a security upda
241 This means IPE requires a policy that can be c
242 revocations of existing policy) from a source
243 policies to be updated without updating the ke
244
245 Additionally, since the kernel is stateless be
246 policy files off the disk from kernel space is
247 policy updates have to be done rebootlessly.
248
249 To allow an update from an external source, it
250 so this policy needs to have a way to be ident
251 done via a signature chained to a trust source
252 this is the ``SYSTEM_TRUSTED_KEYRING``, a key
253 populated at kernel compile-time, as this matc
254 author of the compiled-in policy described abo
255 deploy policy updates.
256
257 Anti-Rollback / Anti-Replay
258 ~~~~~~~~~~~~~~~~~~~~~~~~~~~
259
260 Over time, vulnerabilities are found and trust
261 trusted anymore. IPE's policy has no exception
262 instances where a mistaken policy author deplo
263 before correcting it with a secure policy.
264
265 Assuming that as soon as the insecure policy i
266 acquires the insecure policy, IPE needs a way
267 from the secure policy update to the insecure
268
269 Initially, IPE's policy can have a policy_vers
270 minimum required version across all policies t
271 the system. This will prevent rollback while t
272
273 .. WARNING::
274
275 However, since the kernel is stateless acros
276 version will be reset to 0.0.0 on the next b
277 need to be aware of this, and ensure the new
278 deployed ASAP after a boot to ensure that th
279 opportunity is minimal for an attacker to de
280
281 Implicit Actions:
282 ~~~~~~~~~~~~~~~~~
283
284 The issue of implicit actions only becomes vis
285 a mixed level of security bars across multiple
286 For example, consider a system that has strong
287 over both the executable code, and specific *d
288 that were critical to its function. In this sy
289 are possible:
290
291 1. A policy in which failure to match any ru
292 in the action being denied.
293 2. A policy in which failure to match any ru
294 in the action being allowed.
295 3. A policy in which the action taken when n
296 specified by the policy author.
297
298 The first option could make a policy like this
299
300 op=EXECUTE integrity_verified=YES action=ALL
301
302 In the example system, this works well for the
303 executables should have integrity guarantees,
304 issue becomes with the second requirement abou
305 This would result in a policy like this (assum
306 evaluated in order)::
307
308 op=EXECUTE integrity_verified=YES action=ALL
309
310 op=READ integrity_verified=NO label=critical
311 op=READ action=ALLOW
312
313 This is somewhat clear if you read the docs, u
314 is executed in order and that the default is a
315 last line effectively changes that default to
316 required, because in a realistic system, there
317 reads (imagine appending to a log file).
318
319 The second option, matching no rules results i
320 for the specific data files::
321
322 op=READ integrity_verified=NO label=critical
323
324 And, like the first option, falls short with t
325 effectively needing to override the default::
326
327 op=EXECUTE integrity_verified=YES action=ALL
328 op=EXECUTE action=DENY
329
330 op=READ integrity_verified=NO label=critical
331
332 This leaves the third option. Instead of makin
333 and override the default with an empty rule, f
334 to consider what the appropriate default shoul
335 scenario and explicitly state it::
336
337 DEFAULT op=EXECUTE action=DENY
338 op=EXECUTE integrity_verified=YES action=ALL
339
340 DEFAULT op=READ action=ALLOW
341 op=READ integrity_verified=NO label=critical
342
343 Policy Debugging:
344 ~~~~~~~~~~~~~~~~~
345
346 When developing a policy, it is useful to know
347 is being violated to reduce debugging costs; n
348 investigation to the exact line that resulted
349 policy systems do not provide this information
350 information that was used in the evaluation. T
351 with the policy to evaluate what went wrong.
352
353 Instead, IPE just emits the rule that was matc
354 of the investigation to the exact policy line
355 rule), or the section (in the case of a DEFAUL
356 and investigation times when policy failures a
357 policies.
358
359 IPE's policy engine is also designed in a way
360 a human of how to investigate a policy failure
361 the sequence that is written, so the algorithm
362 for humans to recreate the steps and could hav
363 surveyed systems, optimizations occur (sorting
364 the policy. In those systems, it requires mult
365 algorithm may not always be clear to the end-u
366
367 Simplified Policy:
368 ~~~~~~~~~~~~~~~~~~
369
370 Finally, IPE's policy is designed for sysadmin
371 of covering individual LSM hooks (or syscalls)
372 instead of sysadmins needing to know that the
373 ``execve``, and ``uselib`` must have rules pro
374 that they want to restrict code execution. Thi
375 could occur due to a lack of knowledge of the
376 maintainers of IPE, being kernel developers ca
377 whether something maps to these operations, an
378
379 Implementation Notes
380 --------------------
381
382 Anonymous Memory
383 ~~~~~~~~~~~~~~~~
384
385 Anonymous memory isn't treated any differently
386 When anonymous memory is mapped with ``+X``, i
387 or ``file_mprotect`` hook, but with a ``NULL``
388 the evaluation, like any other file. However,
389 evaluate to false, as they are all file-based
390 associated with a file.
391
392 .. WARNING::
393
394 This also occurs with the ``kernel_load_data
395 loading data from a userspace buffer that is
396 scenario all current trust properties will a
397
398 Securityfs Interface
399 ~~~~~~~~~~~~~~~~~~~~
400
401 The per-policy securityfs tree is somewhat uni
402 a standard securityfs policy tree::
403
404 MyPolicy
405 |- active
406 |- delete
407 |- name
408 |- pkcs7
409 |- policy
410 |- update
411 |- version
412
413 The policy is stored in the ``->i_private`` da
414
415 Tests
416 -----
417
418 IPE has KUnit Tests for the policy parser. Rec
419
420 CONFIG_KUNIT=y
421 CONFIG_SECURITY=y
422 CONFIG_SECURITYFS=y
423 CONFIG_PKCS7_MESSAGE_PARSER=y
424 CONFIG_SYSTEM_DATA_VERIFICATION=y
425 CONFIG_FS_VERITY=y
426 CONFIG_FS_VERITY_BUILTIN_SIGNATURES=y
427 CONFIG_BLOCK=y
428 CONFIG_MD=y
429 CONFIG_BLK_DEV_DM=y
430 CONFIG_DM_VERITY=y
431 CONFIG_DM_VERITY_VERIFY_ROOTHASH_SIG=y
432 CONFIG_NET=y
433 CONFIG_AUDIT=y
434 CONFIG_AUDITSYSCALL=y
435 CONFIG_BLK_DEV_INITRD=y
436
437 CONFIG_SECURITY_IPE=y
438 CONFIG_IPE_PROP_DM_VERITY=y
439 CONFIG_IPE_PROP_DM_VERITY_SIGNATURE=y
440 CONFIG_IPE_PROP_FS_VERITY=y
441 CONFIG_IPE_PROP_FS_VERITY_BUILTIN_SIG=y
442 CONFIG_SECURITY_IPE_KUNIT_TEST=y
443
444 In addition, IPE has a python based integratio
445 `test suite <https://github.com/microsoft/ipe/
446 can test both user interfaces and enforcement
Linux® is a registered trademark of Linus Torvalds in the United States and other countries.
TOMOYO® is a registered trademark of NTT DATA CORPORATION.