colby@colbyt.com writes: > So instinctively the path I took there was to do IPE on apple end to > end from host to VM in an accountability chain, but not sure of the > validity of my taste there -- I just like treating internal > assumptions as hostile instead of trusted -- I was hoping to achieve > an inter-vm attestation system which would use things like this, but > tbh did not think deeply. > I would love to see something like that. Just needs some more design thought. As it stands I don't think this is giving any more assurance to VMs than they had before, but we definitely could — e.g. we could prove to them that they're running on an unmodified (and therefore presumably trustworthy) Spectrum host. > > On Thursday, July 2nd, 2026 at 7:22 AM, Alyssa Ross wrote: > >> colby@colbyt.com writes: >> >> > Yes this is me laying the groundwork for/ trying to solve >> > >> > "Look into Integrity Policy Enhancement LSM >> > Apparently this enforces that executables must be authenticated by dm-verity. Could we use this?" >> > >> > I may have forgotten to push all the files but I got it implemented and working --- only I did not want to push actual IPE policies in a patch, as that has a substantial possibility to break things. >> >> Ah, yes. I meant IPE on the host when I wrote that. I'll update the >> text to make that clearer. I don't immediately see any value in IPE in >> VMs. >> >> > On Friday, June 26th, 2026 at 8:15 AM, Alyssa Ross wrote: >> > >> >> colbyt writes: >> >> >> >> > This series changes the app VM and net VM root images to boot through >> >> > dm-verity, then enables IPE kernel support for the sub-VMs and the >> >> > Spectrum host rootfs. >> >> > >> >> > Each sub-VM disk now has a verity metadata partition and an EROFS root >> >> > partition. The build installs the root hash next to the disk image, and >> >> > the VM boot paths pass that hash to a shared initramfs. The initramfs >> >> > uses the hash to find both partitions, opens /dev/mapper/root-verity, and >> >> > switches into it read-only. >> >> > >> >> > The last two patches only enable kernel support for IPE. They do not >> >> > install an IPE policy. With the existing generated kernel config, >> >> > enabling SECURITY_IPE also enables the dm-verity root-hash provider, so >> >> > later policy work can match files from verified roots. >> >> >> >> Would you mind explaining your motivation / the direction you envisage >> >> here in a bit more detail? Given that the VM gets its root file system >> >> and the corresponding verity hash from the same place (the host file >> >> system), there's no immediate security benefit from using dm-verity, >> >> right? Is the idea rather to enable some sort of cool IPE thing for >> >> which dm-verity is a requirement, but that's not implemented yet as part >> >> of this series? >> >> >> >> (I really appreciate the quality of your patches BTW — you've obviously >> >> gone to some effort to identify and follow all the tiny little >> >> conventions we have in the codebase. Thank you!) >> >> >>