FS-VERITY in Linux 5.4

Is FS-VERITY any good for the desktop?



This would be useful for verified boot and to prevent malware persistence similar to dm-verity.


I don’t think any (Debian based) Linux desktop distribution can/will implement this unfortunately in mid term future. Happy to be proven wrong. Also because non-determinism and unclean separation of system and user folders makes it even harder to provide a signed base image (or filesystem).

dm-verify / fs-verity require a distributor to create and sign and image (or filesystem). Which the user cannot modify (at least not without superroot) (android calls that “rooting” or after market firmware image flashing). Then the package management works differently - it does not write to the root image. Is therefore more limited - unless extensive development is being done. Android added a lot of the missing functionality to make this work. But then users require the distributor (in case of mobile phones their mobile carrier or mobile phone producer) to provide upgrades - which we know - is a very broken process. For way too many phones there aren’t upgrades delivered (and worse so, freedom is denied to users to update their own devices due to locked bootloaders).

Perhaps root (or superroot) could upgrade and then a key generated on the user’s machine could sign the file system or all binaries. Then when booting using multiple boot modes for better security: persistent user | live user | persistent admin | persistent superadmin | persistent recovery mode with user, any modifications to the root file system could be detected. But that seems superuser since Linux file permission prevent that anyhow. Any attacker compromise / escalate these permissions could also subvert dm-verify / fs-verity, I think.

[Imprint] [Privacy Policy] [Cookie Policy] [Terms of Use] [E-Sign Consent] [DMCA] [Investors] [Priority Support] [Professional Support]