1.. SPDX-License-Identifier: GPL-2.0
2
3Integrity Policy Enforcement (IPE)
4==================================
5
6.. NOTE::
7
8   This is the documentation for admins, system builders, or individuals
9   attempting to use IPE. If you're looking for more developer-focused
10   documentation about IPE please see :doc:`the design docs </security/ipe>`.
11
12Overview
13--------
14
15Integrity Policy Enforcement (IPE) is a Linux Security Module that takes a
16complementary approach to access control. Unlike traditional access control
17mechanisms that rely on labels and paths for decision-making, IPE focuses
18on the immutable security properties inherent to system components. These
19properties are fundamental attributes or features of a system component
20that cannot be altered, ensuring a consistent and reliable basis for
21security decisions.
22
23To elaborate, in the context of IPE, system components primarily refer to
24files or the devices these files reside on. However, this is just a
25starting point. The concept of system components is flexible and can be
26extended to include new elements as the system evolves. The immutable
27properties include the origin of a file, which remains constant and
28unchangeable over time. For example, IPE policies can be crafted to trust
29files originating from the initramfs. Since initramfs is typically verified
30by the bootloader, its files are deemed trustworthy; "file is from
31initramfs" becomes an immutable property under IPE's consideration.
32
33The immutable property concept extends to the security features enabled on
34a file's origin, such as dm-verity or fs-verity, which provide a layer of
35integrity and trust. For example, IPE allows the definition of policies
36that trust files from a dm-verity protected device. dm-verity ensures the
37integrity of an entire device by providing a verifiable and immutable state
38of its contents. Similarly, fs-verity offers filesystem-level integrity
39checks, allowing IPE to enforce policies that trust files protected by
40fs-verity. These two features cannot be turned off once established, so
41they are considered immutable properties. These examples demonstrate how
42IPE leverages immutable properties, such as a file's origin and its
43integrity protection mechanisms, to make access control decisions.
44
45For the IPE policy, specifically, it grants the ability to enforce
46stringent access controls by assessing security properties against
47reference values defined within the policy. This assessment can be based on
48the existence of a security property (e.g., verifying if a file originates
49from initramfs) or evaluating the internal state of an immutable security
50property. The latter includes checking the roothash of a dm-verity
51protected device, determining whether dm-verity possesses a valid
52signature, assessing the digest of a fs-verity protected file, or
53determining whether fs-verity possesses a valid built-in signature. This
54nuanced approach to policy enforcement enables a highly secure and
55customizable system defense mechanism, tailored to specific security
56requirements and trust models.
57
58To enable IPE, ensure that ``CONFIG_SECURITY_IPE`` (under
59:menuselection:`Security -> Integrity Policy Enforcement (IPE)`) config
60option is enabled.
61
62Use Cases
63---------
64
65IPE works best in fixed-function devices: devices in which their purpose
66is clearly defined and not supposed to be changed (e.g. network firewall
67device in a data center, an IoT device, etcetera), where all software and
68configuration is built and provisioned by the system owner.
69
70IPE is a long-way off for use in general-purpose computing: the Linux
71community as a whole tends to follow a decentralized trust model (known as
72the web of trust), which IPE has no support for it yet. Instead, IPE
73supports PKI (public key infrastructure), which generally designates a
74set of trusted entities that provide a measure of absolute trust.
75
76Additionally, while most packages are signed today, the files inside
77the packages (for instance, the executables), tend to be unsigned. This
78makes it difficult to utilize IPE in systems where a package manager is
79expected to be functional, without major changes to the package manager
80and ecosystem behind it.
81
82The digest_cache LSM [#digest_cache_lsm]_ is a system that when combined with IPE,
83could be used to enable and support general-purpose computing use cases.
84
85Known Limitations
86-----------------
87
88IPE cannot verify the integrity of anonymous executable memory, such as
89the trampolines created by gcc closures and libffi (<3.4.2), or JIT'd code.
90Unfortunately, as this is dynamically generated code, there is no way
91for IPE to ensure the integrity of this code to form a trust basis.
92
93IPE cannot verify the integrity of programs written in interpreted
94languages when these scripts are invoked by passing these program files
95to the interpreter. This is because the way interpreters execute these
96files; the scripts themselves are not evaluated as executable code
97through one of IPE's hooks, but they are merely text files that are read
98(as opposed to compiled executables) [#interpreters]_.
99
100Threat Model
101------------
102
103IPE specifically targets the risk of tampering with user-space executable
104code after the kernel has initially booted, including the kernel modules
105loaded from userspace via ``modprobe`` or ``insmod``.
106
107To illustrate, consider a scenario where an untrusted binary, possibly
108malicious, is downloaded along with all necessary dependencies, including a
109loader and libc. The primary function of IPE in this context is to prevent
110the execution of such binaries and their dependencies.
111
112IPE achieves this by verifying the integrity and authenticity of all
113executable code before allowing them to run. It conducts a thorough
114check to ensure that the code's integrity is intact and that they match an
115authorized reference value (digest, signature, etc) as per the defined
116policy. If a binary does not pass this verification process, either
117because its integrity has been compromised or it does not meet the
118authorization criteria, IPE will deny its execution. Additionally, IPE
119generates audit logs which may be utilized to detect and analyze failures
120resulting from policy violation.
121
122Tampering threat scenarios include modification or replacement of
123executable code by a range of actors including:
124
125-  Actors with physical access to the hardware
126-  Actors with local network access to the system
127-  Actors with access to the deployment system
128-  Compromised internal systems under external control
129-  Malicious end users of the system
130-  Compromised end users of the system
131-  Remote (external) compromise of the system
132
133IPE does not mitigate threats arising from malicious but authorized
134developers (with access to a signing certificate), or compromised
135developer tools used by them (i.e. return-oriented programming attacks).
136Additionally, IPE draws hard security boundary between userspace and
137kernelspace. As a result, kernel-level exploits are considered outside
138the scope of IPE and mitigation is left to other mechanisms.
139
140Policy
141------
142
143IPE policy is a plain-text [#devdoc]_ policy composed of multiple statements
144over several lines. There is one required line, at the top of the
145policy, indicating the policy name, and the policy version, for
146instance::
147
148   policy_name=Ex_Policy policy_version=0.0.0
149
150The policy name is a unique key identifying this policy in a human
151readable name. This is used to create nodes under securityfs as well as
152uniquely identify policies to deploy new policies vs update existing
153policies.
154
155The policy version indicates the current version of the policy (NOT the
156policy syntax version). This is used to prevent rollback of policy to
157potentially insecure previous versions of the policy.
158
159The next portion of IPE policy are rules. Rules are formed by key=value
160pairs, known as properties. IPE rules require two properties: ``action``,
161which determines what IPE does when it encounters a match against the
162rule, and ``op``, which determines when the rule should be evaluated.
163The ordering is significant, a rule must start with ``op``, and end with
164``action``. Thus, a minimal rule is::
165
166   op=EXECUTE action=ALLOW
167
168This example will allow any execution. Additional properties are used to
169assess immutable security properties about the files being evaluated.
170These properties are intended to be descriptions of systems within the
171kernel that can provide a measure of integrity verification, such that IPE
172can determine the trust of the resource based on the value of the property.
173
174Rules are evaluated top-to-bottom. As a result, any revocation rules,
175or denies should be placed early in the file to ensure that these rules
176are evaluated before a rule with ``action=ALLOW``.
177
178IPE policy supports comments. The character '#' will function as a
179comment, ignoring all characters to the right of '#' until the newline.
180
181The default behavior of IPE evaluations can also be expressed in policy,
182through the ``DEFAULT`` statement. This can be done at a global level,
183or a per-operation level::
184
185   # Global
186   DEFAULT action=ALLOW
187
188   # Operation Specific
189   DEFAULT op=EXECUTE action=ALLOW
190
191A default must be set for all known operations in IPE. If you want to
192preserve older policies being compatible with newer kernels that can introduce
193new operations, set a global default of ``ALLOW``, then override the
194defaults on a per-operation basis (as above).
195
196With configurable policy-based LSMs, there's several issues with
197enforcing the configurable policies at startup, around reading and
198parsing the policy:
199
2001. The kernel *should* not read files from userspace, so directly reading
201   the policy file is prohibited.
2022. The kernel command line has a character limit, and one kernel module
203   should not reserve the entire character limit for its own
204   configuration.
2053. There are various boot loaders in the kernel ecosystem, so handing
206   off a memory block would be costly to maintain.
207
208As a result, IPE has addressed this problem through a concept of a "boot
209policy". A boot policy is a minimal policy which is compiled into the
210kernel. This policy is intended to get the system to a state where
211userspace is set up and ready to receive commands, at which point a more
212complex policy can be deployed via securityfs. The boot policy can be
213specified via ``SECURITY_IPE_BOOT_POLICY`` config option, which accepts
214a path to a plain-text version of the IPE policy to apply. This policy
215will be compiled into the kernel. If not specified, IPE will be disabled
216until a policy is deployed and activated through securityfs.
217
218Deploying Policies
219~~~~~~~~~~~~~~~~~~
220
221Policies can be deployed from userspace through securityfs. These policies
222are signed through the PKCS#7 message format to enforce some level of
223authorization of the policies (prohibiting an attacker from gaining
224unconstrained root, and deploying an "allow all" policy). These
225policies must be signed by a certificate that chains to the
226``SYSTEM_TRUSTED_KEYRING``, or to the secondary and/or platform keyrings if
227``CONFIG_IPE_POLICY_SIG_SECONDARY_KEYRING`` and/or
228``CONFIG_IPE_POLICY_SIG_PLATFORM_KEYRING`` are enabled, respectively.
229With openssl, the policy can be signed by::
230
231   openssl smime -sign \
232      -in "$MY_POLICY" \
233      -signer "$MY_CERTIFICATE" \
234      -inkey "$MY_PRIVATE_KEY" \
235      -noattr \
236      -nodetach \
237      -nosmimecap \
238      -outform der \
239      -out "$MY_POLICY.p7b"
240
241Deploying the policies is done through securityfs, through the
242``new_policy`` node. To deploy a policy, simply cat the file into the
243securityfs node::
244
245   cat "$MY_POLICY.p7b" > /sys/kernel/security/ipe/new_policy
246
247Upon success, this will create one subdirectory under
248``/sys/kernel/security/ipe/policies/``. The subdirectory will be the
249``policy_name`` field of the policy deployed, so for the example above,
250the directory will be ``/sys/kernel/security/ipe/policies/Ex_Policy``.
251Within this directory, there will be seven files: ``pkcs7``, ``policy``,
252``name``, ``version``, ``active``, ``update``, and ``delete``.
253
254The ``pkcs7`` file is read-only. Reading it returns the raw PKCS#7 data
255that was provided to the kernel, representing the policy. If the policy being
256read is the boot policy, this will return ``ENOENT``, as it is not signed.
257
258The ``policy`` file is read only. Reading it returns the PKCS#7 inner
259content of the policy, which will be the plain text policy.
260
261The ``active`` file is used to set a policy as the currently active policy.
262This file is rw, and accepts a value of ``"1"`` to set the policy as active.
263Since only a single policy can be active at one time, all other policies
264will be marked inactive. The policy being marked active must have a policy
265version greater or equal to the currently-running version.
266
267The ``update`` file is used to update a policy that is already present
268in the kernel. This file is write-only and accepts a PKCS#7 signed
269policy. Two checks will always be performed on this policy: First, the
270``policy_names`` must match with the updated version and the existing
271version. Second the updated policy must have a policy version greater than
272the currently-running version. This is to prevent rollback attacks.
273
274The ``delete`` file is used to remove a policy that is no longer needed.
275This file is write-only and accepts a value of ``1`` to delete the policy.
276On deletion, the securityfs node representing the policy will be removed.
277However, delete the current active policy is not allowed and will return
278an operation not permitted error.
279
280Similarly, writing to both ``update`` and ``new_policy`` could result in
281bad message(policy syntax error) or file exists error. The latter error happens
282when trying to deploy a policy with a ``policy_name`` while the kernel already
283has a deployed policy with the same ``policy_name``.
284
285Deploying a policy will *not* cause IPE to start enforcing the policy. IPE will
286only enforce the policy marked active. Note that only one policy can be active
287at a time.
288
289Once deployment is successful, the policy can be activated, by writing file
290``/sys/kernel/security/ipe/policies/$policy_name/active``.
291For example, the ``Ex_Policy`` can be activated by::
292
293   echo 1 > "/sys/kernel/security/ipe/policies/Ex_Policy/active"
294
295From above point on, ``Ex_Policy`` is now the enforced policy on the
296system.
297
298IPE also provides a way to delete policies. This can be done via the
299``delete`` securityfs node,
300``/sys/kernel/security/ipe/policies/$policy_name/delete``.
301Writing ``1`` to that file deletes the policy::
302
303   echo 1 > "/sys/kernel/security/ipe/policies/$policy_name/delete"
304
305There is only one requirement to delete a policy: the policy being deleted
306must be inactive.
307
308.. NOTE::
309
310   If a traditional MAC system is enabled (SELinux, apparmor, smack), all
311   writes to ipe's securityfs nodes require ``CAP_MAC_ADMIN``.
312
313Modes
314~~~~~
315
316IPE supports two modes of operation: permissive (similar to SELinux's
317permissive mode) and enforced. In permissive mode, all events are
318checked and policy violations are logged, but the policy is not really
319enforced. This allows users to test policies before enforcing them.
320
321The default mode is enforce, and can be changed via the kernel command
322line parameter ``ipe.enforce=(0|1)``, or the securityfs node
323``/sys/kernel/security/ipe/enforce``.
324
325.. NOTE::
326
327   If a traditional MAC system is enabled (SELinux, apparmor, smack, etcetera),
328   all writes to ipe's securityfs nodes require ``CAP_MAC_ADMIN``.
329
330Audit Events
331~~~~~~~~~~~~
332
3331420 AUDIT_IPE_ACCESS
334^^^^^^^^^^^^^^^^^^^^^
335Event Examples::
336
337   type=1420 audit(1653364370.067:61): ipe_op=EXECUTE ipe_hook=MMAP enforcing=1 pid=2241 comm="ld-linux.so" path="/deny/lib/libc.so.6" dev="sda2" ino=14549020 rule="DEFAULT action=DENY"
338   type=1300 audit(1653364370.067:61): SYSCALL arch=c000003e syscall=9 success=no exit=-13 a0=7f1105a28000 a1=195000 a2=5 a3=812 items=0 ppid=2219 pid=2241 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=2 comm="ld-linux.so" exe="/tmp/ipe-test/lib/ld-linux.so" subj=unconfined key=(null)
339   type=1327 audit(1653364370.067:61): 707974686F6E3300746573742F6D61696E2E7079002D6E00
340
341   type=1420 audit(1653364735.161:64): ipe_op=EXECUTE ipe_hook=MMAP enforcing=1 pid=2472 comm="mmap_test" path=? dev=? ino=? rule="DEFAULT action=DENY"
342   type=1300 audit(1653364735.161:64): SYSCALL arch=c000003e syscall=9 success=no exit=-13 a0=0 a1=1000 a2=4 a3=21 items=0 ppid=2219 pid=2472 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=2 comm="mmap_test" exe="/root/overlake_test/upstream_test/vol_fsverity/bin/mmap_test" subj=unconfined key=(null)
343   type=1327 audit(1653364735.161:64): 707974686F6E3300746573742F6D61696E2E7079002D6E00
344
345This event indicates that IPE made an access control decision; the IPE
346specific record (1420) is always emitted in conjunction with a
347``AUDITSYSCALL`` record.
348
349Determining whether IPE is in permissive or enforced mode can be derived
350from ``success`` property and exit code of the ``AUDITSYSCALL`` record.
351
352
353Field descriptions:
354
355+-----------+------------+-----------+---------------------------------------------------------------------------------+
356| Field     | Value Type | Optional? | Description of Value                                                            |
357+===========+============+===========+=================================================================================+
358| ipe_op    | string     | No        | The IPE operation name associated with the log                                  |
359+-----------+------------+-----------+---------------------------------------------------------------------------------+
360| ipe_hook  | string     | No        | The name of the LSM hook that triggered the IPE event                           |
361+-----------+------------+-----------+---------------------------------------------------------------------------------+
362| enforcing | integer    | No        | The current IPE enforcing state 1 is in enforcing mode, 0 is in permissive mode |
363+-----------+------------+-----------+---------------------------------------------------------------------------------+
364| pid       | integer    | No        | The pid of the process that triggered the IPE event.                            |
365+-----------+------------+-----------+---------------------------------------------------------------------------------+
366| comm      | string     | No        | The command line program name of the process that triggered the IPE event       |
367+-----------+------------+-----------+---------------------------------------------------------------------------------+
368| path      | string     | Yes       | The absolute path to the evaluated file                                         |
369+-----------+------------+-----------+---------------------------------------------------------------------------------+
370| ino       | integer    | Yes       | The inode number of the evaluated file                                          |
371+-----------+------------+-----------+---------------------------------------------------------------------------------+
372| dev       | string     | Yes       | The device name of the evaluated file, e.g. vda                                 |
373+-----------+------------+-----------+---------------------------------------------------------------------------------+
374| rule      | string     | No        | The matched policy rule                                                         |
375+-----------+------------+-----------+---------------------------------------------------------------------------------+
376
3771421 AUDIT_IPE_CONFIG_CHANGE
378^^^^^^^^^^^^^^^^^^^^^^^^^^^^
379
380Event Example::
381
382   type=1421 audit(1653425583.136:54): old_active_pol_name="Allow_All" old_active_pol_version=0.0.0 old_policy_digest=sha256:E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855 new_active_pol_name="boot_verified" new_active_pol_version=0.0.0 new_policy_digest=sha256:820EEA5B40CA42B51F68962354BA083122A20BB846F26765076DD8EED7B8F4DB auid=4294967295 ses=4294967295 lsm=ipe res=1
383   type=1300 audit(1653425583.136:54): SYSCALL arch=c000003e syscall=1 success=yes exit=2 a0=3 a1=5596fcae1fb0 a2=2 a3=2 items=0 ppid=184 pid=229 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=4294967295 comm="python3" exe="/usr/bin/python3.10" key=(null)
384   type=1327 audit(1653425583.136:54): PROCTITLE proctitle=707974686F6E3300746573742F6D61696E2E7079002D66002E2
385
386This event indicates that IPE switched the active poliy from one to another
387along with the version and the hash digest of the two policies.
388Note IPE can only have one policy active at a time, all access decision
389evaluation is based on the current active policy.
390The normal procedure to deploy a new policy is loading the policy to deploy
391into the kernel first, then switch the active policy to it.
392
393This record will always be emitted in conjunction with a ``AUDITSYSCALL`` record for the ``write`` syscall.
394
395Field descriptions:
396
397+------------------------+------------+-----------+---------------------------------------------------+
398| Field                  | Value Type | Optional? | Description of Value                              |
399+========================+============+===========+===================================================+
400| old_active_pol_name    | string     | Yes       | The name of previous active policy                |
401+------------------------+------------+-----------+---------------------------------------------------+
402| old_active_pol_version | string     | Yes       | The version of previous active policy             |
403+------------------------+------------+-----------+---------------------------------------------------+
404| old_policy_digest      | string     | Yes       | The hash of previous active policy                |
405+------------------------+------------+-----------+---------------------------------------------------+
406| new_active_pol_name    | string     | No        | The name of current active policy                 |
407+------------------------+------------+-----------+---------------------------------------------------+
408| new_active_pol_version | string     | No        | The version of current active policy              |
409+------------------------+------------+-----------+---------------------------------------------------+
410| new_policy_digest      | string     | No        | The hash of current active policy                 |
411+------------------------+------------+-----------+---------------------------------------------------+
412| auid                   | integer    | No        | The login user ID                                 |
413+------------------------+------------+-----------+---------------------------------------------------+
414| ses                    | integer    | No        | The login session ID                              |
415+------------------------+------------+-----------+---------------------------------------------------+
416| lsm                    | string     | No        | The lsm name associated with the event            |
417+------------------------+------------+-----------+---------------------------------------------------+
418| res                    | integer    | No        | The result of the audited operation(success/fail) |
419+------------------------+------------+-----------+---------------------------------------------------+
420
4211422 AUDIT_IPE_POLICY_LOAD
422^^^^^^^^^^^^^^^^^^^^^^^^^^
423
424Event Example::
425
426   type=1422 audit(1653425529.927:53): policy_name="boot_verified" policy_version=0.0.0 policy_digest=sha256:820EEA5B40CA42B51F68962354BA083122A20BB846F26765076DD8EED7B8F4DB auid=4294967295 ses=4294967295 lsm=ipe res=1
427   type=1300 audit(1653425529.927:53): arch=c000003e syscall=1 success=yes exit=2567 a0=3 a1=5596fcae1fb0 a2=a07 a3=2 items=0 ppid=184 pid=229 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=4294967295 comm="python3" exe="/usr/bin/python3.10" key=(null)
428   type=1327 audit(1653425529.927:53): PROCTITLE proctitle=707974686F6E3300746573742F6D61696E2E7079002D66002E2E
429
430This record indicates a new policy has been loaded into the kernel with the policy name, policy version and policy hash.
431
432This record will always be emitted in conjunction with a ``AUDITSYSCALL`` record for the ``write`` syscall.
433
434Field descriptions:
435
436+----------------+------------+-----------+---------------------------------------------------+
437| Field          | Value Type | Optional? | Description of Value                              |
438+================+============+===========+===================================================+
439| policy_name    | string     | No        | The policy_name                                   |
440+----------------+------------+-----------+---------------------------------------------------+
441| policy_version | string     | No        | The policy_version                                |
442+----------------+------------+-----------+---------------------------------------------------+
443| policy_digest  | string     | No        | The policy hash                                   |
444+----------------+------------+-----------+---------------------------------------------------+
445| auid           | integer    | No        | The login user ID                                 |
446+----------------+------------+-----------+---------------------------------------------------+
447| ses            | integer    | No        | The login session ID                              |
448+----------------+------------+-----------+---------------------------------------------------+
449| lsm            | string     | No        | The lsm name associated with the event            |
450+----------------+------------+-----------+---------------------------------------------------+
451| res            | integer    | No        | The result of the audited operation(success/fail) |
452+----------------+------------+-----------+---------------------------------------------------+
453
454
4551404 AUDIT_MAC_STATUS
456^^^^^^^^^^^^^^^^^^^^^
457
458Event Examples::
459
460   type=1404 audit(1653425689.008:55): enforcing=0 old_enforcing=1 auid=4294967295 ses=4294967295 enabled=1 old-enabled=1 lsm=ipe res=1
461   type=1300 audit(1653425689.008:55): arch=c000003e syscall=1 success=yes exit=2 a0=1 a1=55c1065e5c60 a2=2 a3=0 items=0 ppid=405 pid=441 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=)
462   type=1327 audit(1653425689.008:55): proctitle="-bash"
463
464   type=1404 audit(1653425689.008:55): enforcing=1 old_enforcing=0 auid=4294967295 ses=4294967295 enabled=1 old-enabled=1 lsm=ipe res=1
465   type=1300 audit(1653425689.008:55): arch=c000003e syscall=1 success=yes exit=2 a0=1 a1=55c1065e5c60 a2=2 a3=0 items=0 ppid=405 pid=441 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=)
466   type=1327 audit(1653425689.008:55): proctitle="-bash"
467
468This record will always be emitted in conjunction with a ``AUDITSYSCALL`` record for the ``write`` syscall.
469
470Field descriptions:
471
472+---------------+------------+-----------+-------------------------------------------------------------------------------------------------+
473| Field         | Value Type | Optional? | Description of Value                                                                            |
474+===============+============+===========+=================================================================================================+
475| enforcing     | integer    | No        | The enforcing state IPE is being switched to, 1 is in enforcing mode, 0 is in permissive mode   |
476+---------------+------------+-----------+-------------------------------------------------------------------------------------------------+
477| old_enforcing | integer    | No        | The enforcing state IPE is being switched from, 1 is in enforcing mode, 0 is in permissive mode |
478+---------------+------------+-----------+-------------------------------------------------------------------------------------------------+
479| auid          | integer    | No        | The login user ID                                                                               |
480+---------------+------------+-----------+-------------------------------------------------------------------------------------------------+
481| ses           | integer    | No        | The login session ID                                                                            |
482+---------------+------------+-----------+-------------------------------------------------------------------------------------------------+
483| enabled       | integer    | No        | The new TTY audit enabled setting                                                               |
484+---------------+------------+-----------+-------------------------------------------------------------------------------------------------+
485| old-enabled   | integer    | No        | The old TTY audit enabled setting                                                               |
486+---------------+------------+-----------+-------------------------------------------------------------------------------------------------+
487| lsm           | string     | No        | The lsm name associated with the event                                                          |
488+---------------+------------+-----------+-------------------------------------------------------------------------------------------------+
489| res           | integer    | No        | The result of the audited operation(success/fail)                                               |
490+---------------+------------+-----------+-------------------------------------------------------------------------------------------------+
491
492
493Success Auditing
494^^^^^^^^^^^^^^^^
495
496IPE supports success auditing. When enabled, all events that pass IPE
497policy and are not blocked will emit an audit event. This is disabled by
498default, and can be enabled via the kernel command line
499``ipe.success_audit=(0|1)`` or
500``/sys/kernel/security/ipe/success_audit`` securityfs file.
501
502This is *very* noisy, as IPE will check every userspace binary on the
503system, but is useful for debugging policies.
504
505.. NOTE::
506
507   If a traditional MAC system is enabled (SELinux, apparmor, smack, etcetera),
508   all writes to ipe's securityfs nodes require ``CAP_MAC_ADMIN``.
509
510Properties
511----------
512
513As explained above, IPE properties are ``key=value`` pairs expressed in IPE
514policy. Two properties are built-into the policy parser: 'op' and 'action'.
515The other properties are used to restrict immutable security properties
516about the files being evaluated. Currently those properties are:
517'``boot_verified``', '``dmverity_signature``', '``dmverity_roothash``',
518'``fsverity_signature``', '``fsverity_digest``'. A description of all
519properties supported by IPE are listed below:
520
521op
522~~
523
524Indicates the operation for a rule to apply to. Must be in every rule,
525as the first token. IPE supports the following operations:
526
527   ``EXECUTE``
528
529      Pertains to any file attempting to be executed, or loaded as an
530      executable.
531
532   ``FIRMWARE``:
533
534      Pertains to firmware being loaded via the firmware_class interface.
535      This covers both the preallocated buffer and the firmware file
536      itself.
537
538   ``KMODULE``:
539
540      Pertains to loading kernel modules via ``modprobe`` or ``insmod``.
541
542   ``KEXEC_IMAGE``:
543
544      Pertains to kernel images loading via ``kexec``.
545
546   ``KEXEC_INITRAMFS``
547
548      Pertains to initrd images loading via ``kexec --initrd``.
549
550   ``POLICY``:
551
552      Controls loading policies via reading a kernel-space initiated read.
553
554      An example of such is loading IMA policies by writing the path
555      to the policy file to ``$securityfs/ima/policy``
556
557   ``X509_CERT``:
558
559      Controls loading IMA certificates through the Kconfigs,
560      ``CONFIG_IMA_X509_PATH`` and ``CONFIG_EVM_X509_PATH``.
561
562action
563~~~~~~
564
565   Determines what IPE should do when a rule matches. Must be in every
566   rule, as the final clause. Can be one of:
567
568   ``ALLOW``:
569
570      If the rule matches, explicitly allow access to the resource to proceed
571      without executing any more rules.
572
573   ``DENY``:
574
575      If the rule matches, explicitly prohibit access to the resource to
576      proceed without executing any more rules.
577
578boot_verified
579~~~~~~~~~~~~~
580
581   This property can be utilized for authorization of files from initramfs.
582   The format of this property is::
583
584         boot_verified=(TRUE|FALSE)
585
586
587   .. WARNING::
588
589      This property will trust files from initramfs(rootfs). It should
590      only be used during early booting stage. Before mounting the real
591      rootfs on top of the initramfs, initramfs script will recursively
592      remove all files and directories on the initramfs. This is typically
593      implemented by using switch_root(8) [#switch_root]_. Therefore the
594      initramfs will be empty and not accessible after the real
595      rootfs takes over. It is advised to switch to a different policy
596      that doesn't rely on the property after this point.
597      This ensures that the trust policies remain relevant and effective
598      throughout the system's operation.
599
600dmverity_roothash
601~~~~~~~~~~~~~~~~~
602
603   This property can be utilized for authorization or revocation of
604   specific dm-verity volumes, identified via their root hashes. It has a
605   dependency on the DM_VERITY module. This property is controlled by
606   the ``IPE_PROP_DM_VERITY`` config option, it will be automatically
607   selected when ``SECURITY_IPE`` and ``DM_VERITY`` are all enabled.
608   The format of this property is::
609
610      dmverity_roothash=DigestName:HexadecimalString
611
612   The supported DigestNames for dmverity_roothash are [#dmveritydigests]_
613
614      + blake2b-512
615      + blake2s-256
616      + sha256
617      + sha384
618      + sha512
619      + sha3-224
620      + sha3-256
621      + sha3-384
622      + sha3-512
623      + sm3
624      + rmd160
625
626dmverity_signature
627~~~~~~~~~~~~~~~~~~
628
629   This property can be utilized for authorization of all dm-verity
630   volumes that have a signed roothash that validated by a keyring
631   specified by dm-verity's configuration, either the system trusted
632   keyring, or the secondary keyring. It depends on
633   ``DM_VERITY_VERIFY_ROOTHASH_SIG`` config option and is controlled by
634   the ``IPE_PROP_DM_VERITY_SIGNATURE`` config option, it will be automatically
635   selected when ``SECURITY_IPE``, ``DM_VERITY`` and
636   ``DM_VERITY_VERIFY_ROOTHASH_SIG`` are all enabled.
637   The format of this property is::
638
639      dmverity_signature=(TRUE|FALSE)
640
641fsverity_digest
642~~~~~~~~~~~~~~~
643
644   This property can be utilized for authorization of specific fsverity
645   enabled files, identified via their fsverity digests.
646   It depends on ``FS_VERITY`` config option and is controlled by
647   the ``IPE_PROP_FS_VERITY`` config option, it will be automatically
648   selected when ``SECURITY_IPE`` and ``FS_VERITY`` are all enabled.
649   The format of this property is::
650
651      fsverity_digest=DigestName:HexadecimalString
652
653   The supported DigestNames for fsverity_digest are [#fsveritydigest]_
654
655      + sha256
656      + sha512
657
658fsverity_signature
659~~~~~~~~~~~~~~~~~~
660
661   This property is used to authorize all fs-verity enabled files that have
662   been verified by fs-verity's built-in signature mechanism. The signature
663   verification relies on a key stored within the ".fs-verity" keyring. It
664   depends on ``FS_VERITY_BUILTIN_SIGNATURES`` config option and
665   it is controlled by the ``IPE_PROP_FS_VERITY`` config option,
666   it will be automatically selected when ``SECURITY_IPE``, ``FS_VERITY``
667   and ``FS_VERITY_BUILTIN_SIGNATURES`` are all enabled.
668   The format of this property is::
669
670      fsverity_signature=(TRUE|FALSE)
671
672Policy Examples
673---------------
674
675Allow all
676~~~~~~~~~
677
678::
679
680   policy_name=Allow_All policy_version=0.0.0
681   DEFAULT action=ALLOW
682
683Allow only initramfs
684~~~~~~~~~~~~~~~~~~~~
685
686::
687
688   policy_name=Allow_Initramfs policy_version=0.0.0
689   DEFAULT action=DENY
690
691   op=EXECUTE boot_verified=TRUE action=ALLOW
692
693Allow any signed and validated dm-verity volume and the initramfs
694~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
695
696::
697
698   policy_name=Allow_Signed_DMV_And_Initramfs policy_version=0.0.0
699   DEFAULT action=DENY
700
701   op=EXECUTE boot_verified=TRUE action=ALLOW
702   op=EXECUTE dmverity_signature=TRUE action=ALLOW
703
704Prohibit execution from a specific dm-verity volume
705~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
706
707::
708
709   policy_name=Deny_DMV_By_Roothash policy_version=0.0.0
710   DEFAULT action=DENY
711
712   op=EXECUTE dmverity_roothash=sha256:cd2c5bae7c6c579edaae4353049d58eb5f2e8be0244bf05345bc8e5ed257baff action=DENY
713
714   op=EXECUTE boot_verified=TRUE action=ALLOW
715   op=EXECUTE dmverity_signature=TRUE action=ALLOW
716
717Allow only a specific dm-verity volume
718~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
719
720::
721
722   policy_name=Allow_DMV_By_Roothash policy_version=0.0.0
723   DEFAULT action=DENY
724
725   op=EXECUTE dmverity_roothash=sha256:401fcec5944823ae12f62726e8184407a5fa9599783f030dec146938 action=ALLOW
726
727Allow any fs-verity file with a valid built-in signature
728~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
729
730::
731
732   policy_name=Allow_Signed_And_Validated_FSVerity policy_version=0.0.0
733   DEFAULT action=DENY
734
735   op=EXECUTE fsverity_signature=TRUE action=ALLOW
736
737Allow execution of a specific fs-verity file
738~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
739
740::
741
742   policy_name=ALLOW_FSV_By_Digest policy_version=0.0.0
743   DEFAULT action=DENY
744
745   op=EXECUTE fsverity_digest=sha256:fd88f2b8824e197f850bf4c5109bea5cf0ee38104f710843bb72da796ba5af9e action=ALLOW
746
747Additional Information
748----------------------
749
750- `Github Repository <https://github.com/microsoft/ipe>`_
751- :doc:`Developer and design docs for IPE </security/ipe>`
752
753FAQ
754---
755
756Q:
757   What's the difference between other LSMs which provide a measure of
758   trust-based access control?
759
760A:
761
762   In general, there's two other LSMs that can provide similar functionality:
763   IMA, and Loadpin.
764
765   IMA and IPE are functionally very similar. The significant difference between
766   the two is the policy. [#devdoc]_
767
768   Loadpin and IPE differ fairly dramatically, as Loadpin only covers the IPE's
769   kernel read operations, whereas IPE is capable of controlling execution
770   on top of kernel read. The trust model is also different; Loadpin roots its
771   trust in the initial super-block, whereas trust in IPE is stemmed from kernel
772   itself (via ``SYSTEM_TRUSTED_KEYS``).
773
774-----------
775
776.. [#digest_cache_lsm] https://lore.kernel.org/lkml/20240415142436.2545003-1-roberto.sassu@huaweicloud.com/
777
778.. [#interpreters] There is `some interest in solving this issue <https://lore.kernel.org/lkml/20220321161557.495388-1-mic@digikod.net/>`_.
779
780.. [#devdoc] Please see :doc:`the design docs </security/ipe>` for more on
781             this topic.
782
783.. [#switch_root] https://man7.org/linux/man-pages/man8/switch_root.8.html
784
785.. [#dmveritydigests] These hash algorithms are based on values accepted by
786                      the Linux crypto API; IPE does not impose any
787                      restrictions on the digest algorithm itself;
788                      thus, this list may be out of date.
789
790.. [#fsveritydigest] These hash algorithms are based on values accepted by the
791                     kernel's fsverity support; IPE does not impose any
792                     restrictions on the digest algorithm itself;
793                     thus, this list may be out of date.
794