documentation: add IPE documentation (ac673187) · Commits · git / linux-net

Documentation/admin-guide/LSM/index.rst

+1 −0

0 → 100644

+790 −0

File added.

Preview size limit exceeded, changes collapsed.

+12 −0

Original line number	Diff line number	Diff line
		@@ -2350,6 +2350,18 @@
		ipcmni_extend [KNL,EARLY] Extend the maximum number of unique System V
		IPC identifiers from 32,768 to 16,777,216.

		ipe.enforce= [IPE]
		Format: <bool>
		Determine whether IPE starts in permissive (0) or
		enforce (1) mode. The default is enforce.

		ipe.success_audit=
		[IPE]
		Format: <bool>
		Start IPE with success auditing enabled, emitting
		an audit event when a binary is allowed. The default
		is 0.

		irqaffinity= [SMP] Set the default irq affinity mask
		The argument is a cpu list, as described above.

+5 −1

Original line number	Diff line number	Diff line
		@@ -92,7 +92,9 @@ authenticating fs-verity file hashes include:
		"IPE policy" specifically allows for the authorization of fs-verity
		files using properties ``fsverity_digest`` for identifying
		files by their verity digest, and ``fsverity_signature`` to authorize
		files with a verified fs-verity's built-in signature.
		files with a verified fs-verity's built-in signature. For
		details on configuring IPE policies and understanding its operational
		modes, please refer to :doc:`IPE admin guide </admin-guide/LSM/ipe>`.

		- Trusted userspace code in combination with `Built-in signature
		verification`_. This approach should be used only with great care.
		@@ -508,6 +510,8 @@ be carefully considered before using them:
		files with a verified fs-verity builtin signature to perform certain
		operations, such as execution. Note that IPE doesn't require
		fs.verity.require_signatures=1.
		Please refer to :doc:`IPE admin guide </admin-guide/LSM/ipe>` for
		more details.

		- A file's builtin signature can only be set at the same time that
		fs-verity is being enabled on the file. Changing or deleting the

+1 −0