Technical Architecture

Defense-in-Depth Architecture

LIBUX implements a layered security model from hardware trust anchors to application isolation, ensuring security at every level of the stack.

Security Layers

Hardware Trust Anchor

TPM 2.0 (Trusted Platform Module)UEFI Secure BootMeasured Boot (PCR attestation)Hardware Security Modules (HSM)IOMMU IsolationMemory Encryption (AMD SEV / Intel TDX)

Kernel & OS Security

Linux Kernel HardeningKernel Lockdown ModeSELinux Mandatory Access ControlAppArmor ProfilesLandlock LSM (filesystem restrictions)seccomp-bpf syscall filteringeBPF-based monitoring (Falco)Auditd comprehensive auditing

Immutable System Layer

Read-only Root Filesystem (dm-verity)Atomic OS Updates (rpm-ostree)Automatic Rollback on FailureSnapshot RecoveryMinimal Base ImageSigned OS Images (Sigstore/Cosign)SBOM (Software Bill of Materials)Reproducible Builds

Application & Container Layer

Rootless Podman ContainersUser Namespace IsolationCgroups v2 Resource ControlFlatpak App SandboxingFirecracker MicroVMsKata ContainersgVisor SandboxOCI Image Signing

Identity & Access Layer

LibyaOne Auth PlatformOpenID Connect / OAuth2SAML 2.0 FederationFIDO2 / WebAuthnPasskeys & Smart CardsSPIFFE/SPIRE Workload IdentityPKI / Certificate ManagementZero Trust Policy Engine

Observability & Compliance

OpenTelemetry InstrumentationPrometheus MetricsGrafana DashboardsFalco Runtime SecuritySIEM Integration (OpenSearch)SOAR AutomationEDR / XDR EndpointsCompliance Reporting

Secure Update Pipeline

Source Code
Build & Sign
SBOM Generate
Image Sign
Mirror & CDN
Verified Install

Every package and image is cryptographically signed using Sigstore/Cosign with provenance tracked via SLSA.

Security Technology Stack

Mandatory Access Control

SELinuxAppArmorLandlock

Supply Chain

SigstoreCosignin-totoSLSASBOM

Container Security

PodmanKata ContainersgVisorFirecracker

Identity

FIDO2PasskeysFreeIPAKeycloakSPIFFE

Monitoring

FalcoAuditdeBPFOpenTelemetryPrometheus

Cryptography

TPM 2.0dm-verityLUKS2IMA/EVMHSM