Technical Architecture
Defense-in-Depth Architecture
LIBUX implements a layered security model from hardware trust anchors to application isolation, ensuring security at every level of the stack.
Security Layers
Hardware Trust Anchor
TPM 2.0 (Trusted Platform Module)UEFI Secure BootMeasured Boot (PCR attestation)Hardware Security Modules (HSM)IOMMU IsolationMemory Encryption (AMD SEV / Intel TDX)
Kernel & OS Security
Linux Kernel HardeningKernel Lockdown ModeSELinux Mandatory Access ControlAppArmor ProfilesLandlock LSM (filesystem restrictions)seccomp-bpf syscall filteringeBPF-based monitoring (Falco)Auditd comprehensive auditing
Immutable System Layer
Read-only Root Filesystem (dm-verity)Atomic OS Updates (rpm-ostree)Automatic Rollback on FailureSnapshot RecoveryMinimal Base ImageSigned OS Images (Sigstore/Cosign)SBOM (Software Bill of Materials)Reproducible Builds
Application & Container Layer
Rootless Podman ContainersUser Namespace IsolationCgroups v2 Resource ControlFlatpak App SandboxingFirecracker MicroVMsKata ContainersgVisor SandboxOCI Image Signing
Identity & Access Layer
LibyaOne Auth PlatformOpenID Connect / OAuth2SAML 2.0 FederationFIDO2 / WebAuthnPasskeys & Smart CardsSPIFFE/SPIRE Workload IdentityPKI / Certificate ManagementZero Trust Policy Engine
Observability & Compliance
OpenTelemetry InstrumentationPrometheus MetricsGrafana DashboardsFalco Runtime SecuritySIEM Integration (OpenSearch)SOAR AutomationEDR / XDR EndpointsCompliance Reporting
Secure Update Pipeline
Source Code
→
Build & Sign
→
SBOM Generate
→
Image Sign
→
Mirror & CDN
→
Verified Install
Every package and image is cryptographically signed using Sigstore/Cosign with provenance tracked via SLSA.
Security Technology Stack
Mandatory Access Control
SELinuxAppArmorLandlock
Supply Chain
SigstoreCosignin-totoSLSASBOM
Container Security
PodmanKata ContainersgVisorFirecracker
Identity
FIDO2PasskeysFreeIPAKeycloakSPIFFE
Monitoring
FalcoAuditdeBPFOpenTelemetryPrometheus
Cryptography
TPM 2.0dm-verityLUKS2IMA/EVMHSM