Merged as part of the Linux Security Modules (LSM) updates for the Linux 6.12 kernel is the new Integrity Policy Enforcement (IPE) module that has been years in the making. Integrity Policy Enforcement is an alternative to access controls.

Integrity Policy Enforcement relies on immutable security properties of the system component and is engineered for fixed-function systems like network firewall devices, IoT platforms, etc, that are only ever running certain application-targeted code. This Integrity Policy Enforcement isn't intended just for general PC or server use with software from a myriad of sources/vendors.

With Integrity Policy Enforcement, administrators can restrict execution of binaries to only those that come from an integrity-protected storage device, like a DM-VERITY using file-system.

More details on the Integrity Policy Enforcement functionality for Linux systems via [1]docs.kernel.org .

The IPE LSM was merged as part of the [2]LSM updates for Linux 6.12 .



[1] https://docs.kernel.org/next/admin-guide/LSM/ipe.html

[2] https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=a430d95c5efa2b545d26a094eb5f624e36732af0