There are many ways to try to keep a system secure. One of those, often
employed in embedded or other dedicated-purpose systems, is to try to
ensure that only code that has been approved (by whoever holds that power
over the system in question) can be executed. The secure boot mechanism,
which is intended to keep a computer from booting anything but a trusted
kernel, is one piece of this puzzle, but its protection only extends
through the process of booting the kernel itself. Various mechanisms exist for
protecting a system after it boots; a new option for this stage is the Integrity
Policy Enforcement (IPE) security module, posted by Deven Bowers.

Source: LWN.net – [$] The integrity policy enforcement security module