LinuxSecuritySummit2011/Abstracts/Drewry dmverity

From Linux Security Wiki (obsolete)
Jump to: navigation, search


Efficient, TPM-free system integrity checking with device mapper: dm-verity


Will Drewry and Mandeep Baines, Google


Chromium OS is a web-centric Linux distribution meant for use on devices with support for a static root of trust: Google Chromebooks and platforms supporting tboot. While it may seem obvious to assume that the static root of trust is extended to the remainder of the system using a TPM-based stack, like IMA, it is not. Chromium OS relies on a device mapper target which implements integrity checking through the application of a hash trie. This talk will discuss the design of the target, the observed performance characteristics, specifics of the implementation - like failure behavior - as well as the reasons motivating the departure from existing mainline integrity-validating functionality, for better and worse. Time permitting, discussion of how the target may be useful in other contexts and in the broader Chromium OS context will be explored.

Personal tools