dm-verity

By Jonathan Corbet
September 19, 2011

It is not often that Netflix employees show up on linux-kernel to advocate for the merging of specific patches. But that is exactly what has happened after a posting of a new device mapper module called dm-verity. As one might expect, dm-verity has little to do with, say, efficient sorting of DVD mailings. It is, instead, a classic piece of security technology with the potential to work in the user's interests - or against those interests.

The purpose of dm-verity is to implement a device mapper target capable of validating the data blocks contained in a filesystem against a list of cryptographic hash values. If the hash for a specific block does not come out as expected, the module assumes that the device has been tampered with and causes the access attempt to fail. It has been put forward by Mandeep Singh Baines of Google's Chromium OS team, but there appears to be interest in this capability beyond that small group.

At the core of this new facility is a module called dm-bht, which works with a list of block numbers and their associated hash values. This list is organized into a simple tree for quick access to the hashes for arbitrary blocks. In essence, the leaves of the tree are pages containing hash values; each higher level in the tree contains hashes of the blocks below it. Verifying a block requires not only checking the hash value for that specific block; it is also necessary to verify hashes up to the root of the tree. If the hash for the tree root (which is assumed to be trusted) checks out, all is well. The dm-bht code can use any hash algorithm supported by the kernel's crypto API; SHA1 is given as an example, but others can be used as well.

dm-verity implements a read-only target; it is assumed that there is no need to change the data protected by this scheme (being, most likely, the binaries run by the system itself) during operation. The tree of block hashes is stored with (or near) the data itself, but the root hash must be passed in externally. If that root hash comes from a trusted source, it should be possible to detect any modification of the disk, in either the data itself or in the stored hash tree. So, if all goes well, a system running with dm-verity can be assured that the underlying software has not been changed. It's worth noting that integrity checking for any specific block does not happen until the kernel tries to read that block into the page cache. There is, thus, no need for a lengthy verification process at boot or mount time.

All of this depends on getting the right hash value into the system at startup time. If some sort of hardware-verified trusted bootloader is in use, that can probably be done in some sort of secure manner. Device mapper setup is a complex task requiring some sort of running user space. This means that a system using dm-verity will need some other mechanism to load a trusted kernel and initramfs or the whole chain will break. A trusted bootloader can achieve that kind of setup; another example given by the developers is a system booting from a "known good" source like a USB stick that is never left unattended.

One might wonder how dm-verity differs from existing features like the extended verification module. EVM requires and uses a trusted platform module (TPM) on the system to be verified; as long as the initial boot step can be secured, dm-verity is able to work without a TPM. It also seems likely that dm-verity will be faster since it does on-demand verification of blocks; there is no need to verify entire files before the first block can be accessed.

Wesley Miaw of Netflix made it clear that this patch is seen with favor there:

Netflix would like dm-verity to be included in the Linux kernel. Over the past year, we have been working with Google and porting dm-verity onto a number of consumer electronics devices running embedded Linux. Demand for this feature has been high and we see a lot of benefit associated with making dm-verity part of the official kernel.

The reasons for this interest should be fairly clear: dm-verity will make it easier to create locked-down Linux-based systems that will enforce whatever DRM requirements the movie studios may see fit to impose. Thanks to dm-verity, there will no longer be pirated films circulating on the Internet; or, perhaps, that's the sort of outcome that only happens in the movies. Whether or not the effort is futile, it shows that tools like dm-verity can be used to harden Linux-based systems in ways that are hostile to their users.

To an extent, Google's interests may align with those of Netflix: Chromebooks that can stream content from Netflix will be more attractive than those that cannot. But dm-verity also fits the ChromeOS concepts of minimal, trustworthy devices with data stored on Google's servers. For users who like this mode of operation, this kind of built-in integrity protection is a positive feature. Google can, one hopes, be trusted to hold the user's data; a suitably verified device can be trusted not to leak that data or the user's credentials to an attacker. Even if the running system is compromised through some sort of malware attack, a simple reboot should either put things right or make it clear that the machine can no longer be trusted.

As long as this functionality is under the user's control, it can be made to serve the user's interests. The "developer mode switch" designed into Chromebooks seems like a good compromise in this area. Some vendors will, beyond doubt, choose to incorporate tools like dm-verity without giving owners the ability to turn it off. That is not a good thing, but neither is it anything new.

Index entries for this article
Kernel	Device mapper
Kernel	Security/Integrity verification

dm-verity

Posted Sep 22, 2011 11:39 UTC (Thu) by k3ninho (subscriber, #50375) [Link] (4 responses)

There are benefits for LiveCD's to ensure that the disk has been written correctly. The possibility also arises of adding error detection/correction to restore the data to known-good states.

The thing I find surprising here is that this is being discussed in the same week as mjg59's blog post about the Windows 8 Logo program requiring Secure UEFI booting. There's no less scandal to Google and Netflix preventing users who intend to buy a general-purpose laptop from running other OS software (or who, years later, decide to upgrade their Chromebook to a newer edition of Linux) than Microsoft potentially limiting users' freedoms in the same way. The shoe may be on the other foot but the fight for full use of the capabilities of the hardware we buy - for general-purpose computing - carries on.

K3n.

dm-verity

Posted Sep 22, 2011 19:10 UTC (Thu) by semenzato (guest, #80402) [Link] (2 responses)

There is a fundamental tension between security and the ability to install your own software. Making a device more secure against remote attacks also makes it harder for the owners themselves to make changes. But the key, of course, is "remote". As the article points out, Google-blessed Chrome OS devices are required to have a physical switch that makes the system bypass firmware, kernel, and read-only file system verification. So the owners get to choose.

Chromium OS is open source, so it is possible that hardware vendors will produce devices without that switch. It will be up to customers to make the right choice.

dm-verity

Posted Sep 25, 2011 7:31 UTC (Sun) by vapier (guest, #15768) [Link] (1 responses)

Chromium OS doesn't contain the proprietary fun bits (like Netflix) that turns "Chromium" into "Chrome", so it automatically makes that route less desirable to vendors.

also, the internet says Google filed for a trademark on "Chromium". Mozilla/Firefox have used their trademarks in the past to control how people distribute things called "Firefox" to the point where they have a pretty strong say in things downstream from them.

dm-verity

Posted Oct 3, 2011 19:01 UTC (Mon) by JanC_ (guest, #34940) [Link]

I know of at least two open source projects that have used the name "Chromium" long before Google did, so I doubt that trademark would be worth much?

dm-verity

Posted Sep 25, 2011 7:36 UTC (Sun) by vapier (guest, #15768) [Link]

actually, there is quite a bit less scandal to Chrome OS devices -- one might say there is none at all. if you read the documentation from the Chromium website, you'd see that the developer switch is a non-negotiable requirement. thus users' freedoms are not impaired in the slightest. don't like Chrome OS ? flip the device and install whatever you want.

http://www.chromium.org/chromium-os/chromiumos-design-doc...

INFORMATION IS POW-WA

dm-verity

Posted Sep 22, 2011 13:40 UTC (Thu) by and (guest, #2883) [Link] (2 responses)

I wonder what the security gain of this is for the average user, at it is easy to circumvent: you can just replace a dm-verity enabled kernel by one which has it disabled and the difference won't be noted. of course, this assumes that the device can be convinced to boot a non-vendor kernel, so trusted boot kicks in again. On the other hand, if you boot from an USB thumb drive, you get the same result by simply putting it into read-only mode.

dm-verity

Posted Sep 29, 2011 19:37 UTC (Thu) by elanthis (guest, #6227) [Link] (1 responses)

If you mean the average user on a stock PC, probably little. But why would anyone think that Google or Netflix cares in the slightest about your Fedora/Ubuntu/Arch/Gentoo/SuSE/whatever-based desktop PC? I'm not sure why anyone still thinks that desktop Linux is at all relevant to any major corporation.

Google is aware of the hand that feeds it

Posted Nov 26, 2011 5:46 UTC (Sat) by Duncan (guest, #6647) [Link]

Not that anyone will see this so late in the game, but...

Google, at least, seems reasonably aware of the FLOSS system from which it derives so much of its software base, and in, one would hope, enlightened self-interest, spends an enormous amount of time, energy and money not only "giving back" in the traditional FLOSS sense (for corporates, that's normally in the form of sponsorships and/or as cooperation and/or contribution of small bits of its own, all of which google does), but ALSO of enabling the community in ways the FLOSS community on its own doesn't always do such a good job at -- political lobbying, and otherwise in practice ensuring an atmosphere in which FLOSS can continue to be a healthy player.

The chromebook developer mode switch that has been mentioned several times already, is a good example of this. As others have pointed out, google's making this a non-negotiable. So google can continue to cater to the vast majority of "content consumers" while building on FLOSS ecosystem building-blocks, but it does so with mode-switchable devices that ensure those who are interested in exercising their own creativity on these devices cannot be prevented from doing so. Thus, unlike "the ms way" which doesn't particularly care about ensuring that "the next generation" has the hackable hardware necessary to bootstrap itself, "the google way" not only allows it as an afterthought when people protest, but actually designs that hackability into its products, speced as a non-negotiable, thereby doing more from a corporate mass production perspective to ensure the continued existence of mass produced and thus cheap and commonly available hackable hardware, than the FLOSS community on its own could ever do.

Google appreciates that by keeping the FLOSS community healthy, it keeps itself healthy, and unlike the quarterly results shortterm, annual results longterm, corporate culture so common these days, google is helping to ensure its own health not only next year, but a full human generation (how many mobile device generations is that?) out. That's pretty rare these days, but certainly quite welcome! =:^)

(This from one who's definitely not google-blinded, BTW. I definitely don't trust google's data mining and doubleclick side, and there's a reason I don't have a gmail account, block google-analytics via both request-policy and noscript, and filter out doubleclick at both the DNS and privoxy-page-rewrite levels. But credit where credit is due, tho I do wonder what the chances of google pulling a caldera/sco might ultimately be. But if you notice, caldera/sco pulled their trick on the way down, and google still seems like a rising star, so that's likely some time in the future if it happens. Meanwhile, google and floss continue to be allies, if only somewhat measured and rather wary allies united against a greater enemy, for the time being.)

Duncan

How about kernel splicing?

Posted Sep 22, 2011 16:02 UTC (Thu) by felixfix (subscriber, #242) [Link] (1 responses)

I am probably especially dense this morning, and had some trouble understanding dm-verity in detail; seems like a fancy way to verify some blocks on the disk. There has been some kind of splicing mechanism in kernels for a while, useful for upgrading a running kernel without reboot. Even if the disk kernel is verified, if it includes splicing, couldn't a splice be executed after dm-verity has said ok?

If the only use for this is embedded systems which only upgrade on command from the mother ship, that's one thing. But if Netflix has any interest in streaming movies to bog-standard PCs running Linux, I wonder how long before a splice starts circulating to disable DRM after dm-verity has been run. I suppose the truth is that there are probably a zillion ways to defeat DRM on a standard Linux PC, so splicing wouldn't be necessary.

How about kernel splicing?

Posted Sep 23, 2011 7:22 UTC (Fri) by rvfh (guest, #31018) [Link]

> If the only use for this is embedded systems which only upgrade on command from the mother ship, that's one thing.

Exactly, see: http://www.pcmag.com/article2/0,2817,2388090,00.asp

dm-verity

Posted Sep 24, 2011 21:33 UTC (Sat) by Creideiki (subscriber, #38747) [Link]

I am sorely disappointed to see that neither this article nor any of the previous comments contain any reference to Verity Stob.

dm-verity

Posted Oct 3, 2011 19:05 UTC (Mon) by Baylink (guest, #755) [Link]

As usual -- at least in my perception -- this isn't about "people won't be able to pirate movies"; this is about "law abiding people will have to pay us 5 or 6 times for the same content, because we're technically restricting their fair use rights to watch said content on any device they feel like to make more money (and the DMCA trumps section 107)."

<sigh>