DevelopersNewsOpen Source

Microsoft IPE Is A New Code Integrity Feature For Linux


Microsoft seems to be embracing Linux more tightly than ever before!!! Well, the software giant has now launched Integrity Policy Enforcement (IPE), a Linux Security Module (LSM).

  • According to the IPE documentation page, it allows for a configurable policy to enforce integrity requirements on the whole system.
  • IPE attempts to solve “the issue of code integrity: that any code being executed (or files being read), are identical to the version that was built by a trusted source.” In other words, IPE helps the owner of a system ensure that only code they have authorized is allowed to execute.
  • Multiple implementations already exist within the Linux kernel; they solve some measure of integrity verification. However, they lack a measure of run-time verification that binaries are sourced from these locations, Microsoft points out in the documentation. IPE aims to address this gap.
  • IPE comprises: A configurable policy, provided by the LSM (“IPE Core”), and deterministic attributes provided by the kernel to evaluate files against, (“IPE Properties”).
  • Further, IPE cannot verify the integrity of anonymous executable memory, such as the trampolines created by gcc closures and libffi, or JIT’d code.

Microsoft says it has designed IPE for use in devices with a specific purpose like embedded systems, where all software and configuration is built and provisioned by the owner. Ideally, a system which leverages IPE is not intended for general purpose computing.

Don't miss out great stories, subscribe to our newsletter.

Login/Sign up