colby@colbyt.com writes: > Yes this is me laying the groundwork for/ trying to solve > > "Look into Integrity Policy Enhancement LSM > Apparently this enforces that executables must be authenticated by dm-verity. Could we use this?" > > I may have forgotten to push all the files but I got it implemented and working --- only I did not want to push actual IPE policies in a patch, as that has a substantial possibility to break things. Ah, yes. I meant IPE on the host when I wrote that. I'll update the text to make that clearer. I don't immediately see any value in IPE in VMs. > On Friday, June 26th, 2026 at 8:15 AM, Alyssa Ross wrote: > >> colbyt writes: >> >> > This series changes the app VM and net VM root images to boot through >> > dm-verity, then enables IPE kernel support for the sub-VMs and the >> > Spectrum host rootfs. >> > >> > Each sub-VM disk now has a verity metadata partition and an EROFS root >> > partition. The build installs the root hash next to the disk image, and >> > the VM boot paths pass that hash to a shared initramfs. The initramfs >> > uses the hash to find both partitions, opens /dev/mapper/root-verity, and >> > switches into it read-only. >> > >> > The last two patches only enable kernel support for IPE. They do not >> > install an IPE policy. With the existing generated kernel config, >> > enabling SECURITY_IPE also enables the dm-verity root-hash provider, so >> > later policy work can match files from verified roots. >> >> Would you mind explaining your motivation / the direction you envisage >> here in a bit more detail? Given that the VM gets its root file system >> and the corresponding verity hash from the same place (the host file >> system), there's no immediate security benefit from using dm-verity, >> right? Is the idea rather to enable some sort of cool IPE thing for >> which dm-verity is a requirement, but that's not implemented yet as part >> of this series? >> >> (I really appreciate the quality of your patches BTW — you've obviously >> gone to some effort to identify and follow all the tiny little >> conventions we have in the codebase. Thank you!) >>