Posted Sep 22, 2011 13:40 UTC (Thu) by and (subscriber, #2883)
Parent article: dm-verity
I wonder what the security gain of this is for the average user, at it is easy to circumvent: you can just replace a dm-verity enabled kernel by one which has it disabled and the difference won't be noted. of course, this assumes that the device can be convinced to boot a non-vendor kernel, so trusted boot kicks in again. On the other hand, if you boot from an USB thumb drive, you get the same result by simply putting it into read-only mode.