Integrity Policy Enforcement (IPE) - Kernel Documentation

Note

This is documentation targeted at developers, instead of administrators.If you’re looking for documentation on the usage of IPE, please seeIPE admin guide.

Historical Motivation

The original issue that prompted IPE’s implementation was the creationof a locked-down system. This system would be born-secure, and havestrong integrity guarantees over both the executable code, and specificdata files on the system, that were critical to its function. Thesespecific data files would not be readable unless they passed integritypolicy. A mandatory access control system would be present, andas a result, xattrs would have to be protected. This lead to a selectionof what would provide the integrity claims. At the time, there were twomain mechanisms considered that could guarantee integrity for the systemwith these requirements:

  1. IMA + EVM Signatures

  2. DM-Verity

Both options were carefully considered, however the choice to use DM-Verityover IMA+EVM as theintegrity mechanism in the original use case of IPEwas due to three main reasons:

  1. Protection of additional attack vectors:

  • With IMA+EVM, without an encryption solution, the system is vulnerableto offline attack against the aforementioned specific data files.

    Unlike executables, read operations (like those on the protected datafiles), cannot be enforced to be globally integrity verified. This meansthere must be some form of selector to determine whether a read shouldenforce the integrity policy, or it should not.

    At the time, this was done with mandatory access control labels. An IMApolicy would indicate what labels required integrity verification, whichpresented an issue: EVM would protect the label, but if an attacker couldmodify filesystem offline, the attacker could wipe all the xattrs -including the SELinux labels that would be used to determine whether thefile should be subject to integrity policy.

    With DM-Verity, as the xattrs are saved as part of the Merkel tree, ifoffline mount occurs against the filesystem protected by dm-verity, thechecksum no longer matches and the file fails to be read.

  • As userspace binaries are paged in Linux, dm-verity also offers theadditional protection against a hostile block device. In such an attack,the block device reports the appropriate content for the IMA hashinitially, passing the required integrity check. Then, on the page faultthat accesses the real data, will report the attacker’s payload. Sincedm-verity will check the data when the page fault occurs (and the diskaccess), this attack is mitigated.

  1. Performance:

  • dm-verity provides integrity verification on demand as blocks areread versus requiring the entire file being read into memory forvalidation.

  1. Simplicity of signing:

  • No need for two signatures (IMA, then EVM): one signature coversan entire block device.

  • Signatures can be stored externally to the filesystem metadata.

  • The signature supports an x.509-based signing infrastructure.

The next step was to choose apolicy to enforce the integrity mechanism.The minimum requirements for the policy were:

  1. The policy itself must be integrity verified (preventing trivialattack against it).

  2. The policy itself must be resistant to rollback attacks.

  3. The policy enforcement must have a permissive-like mode.

  4. The policy must be able to be updated, in its entirety, withouta reboot.

  5. Policy updates must be atomic.

  6. The policy must supportrevocations of previously authoredcomponents.

  7. The policy must be auditable, at any point-of-time.

IMA, as the only integrity policy mechanism at the time, wasconsidered against these list of requirements, and did not fulfillall of the minimum requirements. Extending IMA to cover theserequirements was considered, but ultimately discarded for atwo reasons:

  1. Regression risk; many of these changes would result indramatic code changes to IMA, which is already present in thekernel, and therefore might impact users.

  2. IMA was used in the system for measurement and attestation;separation of measurement policy from local integrity policyenforcement was considered favorable.

Due to these reasons, it was decided that a new LSM should be created,whose responsibility would be only the local integrity policy enforcement.

Role and Scope

IPE, as its name implies, is fundamentally an integrity policy enforcementsolution; IPE does not mandate how integrity is provided, but insteadleaves that decision to the system administrator to set the security bar,via the mechanisms that they select that suit their individual needs.There are several different integrity solutions that provide a differentlevel of security guarantees; and IPE allows sysadmins to express policy fortheoretically all of them.

IPE does not have an inherent mechanism to ensure integrity on its own.Instead, there are more effective layers available for building systems thatcan guarantee integrity. It’s important to note that the mechanism for provingintegrity is independent of the policy for enforcing that integrity claim.

Therefore, IPE was designed around:

  1. Easy integrations with integrity providers.

  2. Ease of use for platform administrators/sysadmins.

Design Rationale:

IPE was designed after evaluating existing integrity policy solutionsin other operating systems and environments. In this survey of otherimplementations, there were a few pitfalls identified:

  1. Policies were not readable by humans, usually requiring a binaryintermediary format.

  2. A single, non-customizable action was implicitly taken as a default.

  3. Debugging the policy required manual steps to determine what rule was violated.

  4. Authoring a policy required an in-depth knowledge of the larger system,or operating system.

IPE attempts to avoid all of these pitfalls.

Policy

Plain Text

IPE’s policy is plain-text. This introduces slightly larger policy files thanother LSMs, but solves two major problems that occurs with some integrity policysolutions on other platforms.

The first issue is one of code maintenance and duplication. To author policies,the policy has to be some form of string representation (be it structured,through XML, JSON, YAML, etcetera), to allow the policy author to understandwhat is being written. In a hypothetical binary policy design, a serializeris necessary to write the policy from the human readable form, to the binaryform, and a deserializer is needed to interpret the binary form into a datastructure in the kernel.

Eventually, another deserializer will be needed to transform the binary fromback into the human-readable form with as much information preserved. This is because auser of this access control system will have to keep a lookup table of a checksumand the original file itself to try to understand what policies have been deployedon this system and what policies have not. For a single user, this may be alright,as old policies can be discarded almost immediately after the update takes hold.For users that manage computer fleets in the thousands, if not hundreds of thousands,with multiple different operating systems, and multiple different operational needs,this quickly becomes an issue, as stale policies from years ago may be present,quickly resulting in the need to recover the policy or fund extensive infrastructureto track what each policy contains.

With now three separate serializer/deserializers, maintenance becomes costly. If thepolicy avoids the binary format, there is only one required serializer: from thehuman-readable form to the data structure in kernel, saving on code maintenance,and retaining operability.

The second issue with a binary format is one of transparency. As IPE controlsaccess based on the trust of the system’s resources, it’s policy must also betrusted to be changed. This is done through signatures, resulting in needingsigning as a process. Signing, as a process, is typically done with ahigh security bar, as anything signed can be used to attack integrityenforcement systems. It is also important that, when signing something, thatthe signer is aware of what they are signing. A binary policy can causeobfuscation of that fact; what signers see is an opaque binary blob. Aplain-text policy, on the other hand, the signers see the actual policysubmitted for signing.

Boot Policy

IPE, if configured appropriately, is able to enforce a policy as soon as akernel is booted and usermode starts. That implies some level of storageof the policy to apply the minute usermode starts. Generally, that storagecan be handled in one of three ways:

  1. The policy file(s) live on disk and the kernel loads the policy priorto an code path that would result in an enforcement decision.

  2. The policy file(s) are passed by the bootloader to the kernel, whoparses the policy.

  3. There is a policy file that is compiled into the kernel that isparsed and enforced on initialization.

The first option has problems: the kernel reading files from userspaceis typically discouraged and very uncommon in the kernel.

The second option also has problems: Linux supports a variety of bootloadersacross its entire ecosystem - every bootloader would have to support thisnew methodology or there must be an independent source. It would likelyresult in more drastic changes to the kernel startup than necessary.

The third option is the best but it’s important to be aware that the policywill take disk space against the kernel it’s compiled in. It’s important tokeep this policy generalized enough that userspace can load a new, morecomplicated policy, but restrictive enough that it will not overauthorizeand cause security issues.

The initramfs provides a way that this bootup path can be established. Thekernel starts with a minimal policy, that trusts the initramfs only. Insidethe initramfs, when the real rootfs is mounted, but not yet transferred to,it deploys and activates a policy that trusts the new root filesystem.This prevents overauthorization at any step, and keeps the kernel policyto a minimal size.

Startup

Not every system, however starts with an initramfs, so the startup policycompiled into the kernel will need some flexibility to express how trustis established for the next phase of the bootup. To this end, if we justmake the compiled-in policy a full IPE policy, it allows system buildersto express the first stage bootup requirements appropriately.

Updatable, Rebootless Policy

As requirements change over time (vulnerabilities are found in previouslytrusted applications, keys roll, etcetera). Updating a kernel to change themeet those security goals is not always a suitable option, as updates are notalways risk-free, and blocking a security update leaves systems vulnerable.This means IPE requires a policy that can be completely updated (allowingrevocations of existing policy) from a source external to the kernel (allowingpolicies to be updated without updating the kernel).

Additionally, since the kernel is stateless between invocations, and readingpolicy files off the disk from kernel space is a bad idea(tm), then thepolicy updates have to be done rebootlessly.

To allow an update from an external source, it could be potentially malicious,so this policy needs to have a way to be identified as trusted. This isdone via a signature chained to a trust source in the kernel. Arbitrarily,this is theSYSTEM_TRUSTED_KEYRING, a keyring that is initiallypopulated at kernel compile-time, as this matches the expectation that theauthor of the compiled-in policy described above is the same entity that candeploy policy updates.

Anti-Rollback / Anti-Replay

Over time, vulnerabilities are found and trusted resources may not betrusted anymore. IPE’s policy has no exception to this. There can beinstances where a mistaken policy author deploys an insecure policy,before correcting it with a secure policy.

Assuming that as soon as the insecure policy is signed, and an attackeracquires the insecure policy, IPE needs a way to prevent rollbackfrom the secure policy update to the insecure policy update.

Initially, IPE’s policy can have a policy_version that states theminimum required version across all policies that can be active onthe system. This will prevent rollback while the system is live.

Warning

However, since the kernel is stateless across boots, this policyversion will be reset to 0.0.0 on the next boot. System buildersneed to be aware of this, and ensure the new secure policies aredeployed ASAP after a boot to ensure that the window ofopportunity is minimal for an attacker to deploy the insecure policy.

Implicit Actions:

The issue of implicit actions only becomes visible when you considera mixed level of security bars across multiple operations in a system.For example, consider a system that has strong integrity guaranteesover both the executable code, and specificdata files on the system,that were critical to its function. In this system, three types of policiesare possible:

  1. A policy in which failure to match any rules in the policy resultsin the action being denied.

  2. A policy in which failure to match any rules in the policy resultsin the action being allowed.

  3. A policy in which the action taken when no rules are matched isspecified by the policy author.

The first option could make a policy like this:

op=EXECUTE integrity_verified=YES action=ALLOW

In the example system, this works well for the executables, as allexecutables should have integrity guarantees, without exception. Theissue becomes with the second requirement about specific data files.This would result in a policy like this (assuming each line isevaluated in order):

op=EXECUTE integrity_verified=YES action=ALLOWop=READ integrity_verified=NO label=critical_t action=DENYop=READ action=ALLOW

This is somewhat clear if you read the docs, understand the policyis executed in order and that the default is a denial; however, thelast line effectively changes that default to an ALLOW. This isrequired, because in a realistic system, there are some unverifiedreads (imagine appending to a log file).

The second option, matching no rules results in an allow, is clearerfor the specific data files:

op=READ integrity_verified=NO label=critical_t action=DENY

And, like the first option, falls short with the execution scenario,effectively needing to override the default:

op=EXECUTE integrity_verified=YES action=ALLOWop=EXECUTE action=DENYop=READ integrity_verified=NO label=critical_t action=DENY

This leaves the third option. Instead of making users be cleverand override the default with an empty rule, force the end-userto consider what the appropriate default should be for theirscenario and explicitly state it:

DEFAULT op=EXECUTE action=DENYop=EXECUTE integrity_verified=YES action=ALLOWDEFAULT op=READ action=ALLOWop=READ integrity_verified=NO label=critical_t action=DENY

Policy Debugging:

When developing a policy, it is useful to know what line of the policyis being violated to reduce debugging costs; narrowing the scope of theinvestigation to the exact line that resulted in the action. Some integritypolicy systems do not provide this information, instead providing theinformation that was used in the evaluation. This then requires a correlationwith the policy to evaluate what went wrong.

Instead, IPE just emits the rule that was matched. This limits the scopeof the investigation to the exact policy line (in the case of a specificrule), or the section (in the case of a DEFAULT). This decreases iterationand investigation times when policy failures are observed while evaluatingpolicies.

IPE’s policy engine is also designed in a way that it makes it obvious toa human of how to investigate a policy failure. Each line is evaluated inthe sequence that is written, so the algorithm is very simple to followfor humans to recreate the steps and could have caused the failure. In othersurveyed systems, optimizations occur (sorting rules, for instance) when loadingthe policy. In those systems, it requires multiple steps to debug, and thealgorithm may not always be clear to the end-user without reading the code first.

Simplified Policy:

Finally, IPE’s policy is designed for sysadmins, not kernel developers. Insteadof covering individual LSM hooks (or syscalls), IPE covers operations. This meansinstead of sysadmins needing to know that the syscallsmmap,mprotect,execve, anduselib must have rules protecting them, they must simple knowthat they want to restrict code execution. This limits the amount of bypasses thatcould occur due to a lack of knowledge of the underlying system; whereas themaintainers of IPE, being kernel developers can make the correct choice to determinewhether something maps to these operations, and under what conditions.

Implementation Notes

Anonymous Memory

Anonymous memory isn’t treated any differently from any other access in IPE.When anonymous memory is mapped with+X, it still comes into thefile_mmaporfile_mprotect hook, but with aNULL file object. This is submitted tothe evaluation, like any other file. However, all current trust properties willevaluate to false, as they are all file-based and the operation is notassociated with a file.

Warning

This also occurs with thekernel_load_data hook, when the kernel isloading data from a userspace buffer that is not backed by a file. In thisscenario all current trust properties will also evaluate to false.

Securityfs Interface

The per-policy securityfs tree is somewhat unique. For example, fora standard securityfs policy tree:

MyPolicy  |- active  |- delete  |- name  |- pkcs7  |- policy  |- update  |- version

The policy is stored in the->i_private data of the MyPolicy inode.

Tests

IPE has KUnit Tests for the policy parser. Recommended kunitconfig:

CONFIG_KUNIT=yCONFIG_SECURITY=yCONFIG_SECURITYFS=yCONFIG_PKCS7_MESSAGE_PARSER=yCONFIG_SYSTEM_DATA_VERIFICATION=yCONFIG_FS_VERITY=yCONFIG_FS_VERITY_BUILTIN_SIGNATURES=yCONFIG_BLOCK=yCONFIG_MD=yCONFIG_BLK_DEV_DM=yCONFIG_DM_VERITY=yCONFIG_DM_VERITY_VERIFY_ROOTHASH_SIG=yCONFIG_NET=yCONFIG_AUDIT=yCONFIG_AUDITSYSCALL=yCONFIG_BLK_DEV_INITRD=yCONFIG_SECURITY_IPE=yCONFIG_IPE_PROP_DM_VERITY=yCONFIG_IPE_PROP_DM_VERITY_SIGNATURE=yCONFIG_IPE_PROP_FS_VERITY=yCONFIG_IPE_PROP_FS_VERITY_BUILTIN_SIG=yCONFIG_SECURITY_IPE_KUNIT_TEST=y

In addition, IPE has a python based integrationtest suite thatcan test both user interfaces and enforcement functionalities.