Integrity protection is making sure that the code that you’re running is the code that you want to run.
Runtime system integrity is protected by access controls (SELinux and friends). However, these assume that the metadata is correct. That requires that there is a trust path from early boot up to the running system.
In UEFI secure boot, the boot rom verifies the boot loader is signed, and the boot loader has to verify that the kernel is signed in the same way (using UEFI calls). That talks to a TPM that talks to a attestation server to verify that things are correct.
In embedded systems that are connected to the network, we can use a similar mechanism like UEFI to contact an attestation server.
Since 2013.07 U-Boot has a secure boot extension that allows to verify the signature of a DTB – the signature is embedded inside the DTB. The same mechanism can be used to sign the kernel, by adding the signature to the FIT configuration.
Once the kernel is verified and booted, it must verify anything that is loaded from the filesystem. A first method is to check the signature of every block when it is read – using dm-verify. This only works for read-only partitions. A hash is calculated of every block, and then a hash tree is constructed until there is a root hash which is signed. The hash blocks are stored together with the FS. Since this is read-only, updating can only be done by overwriting the entire partition.
dm-integrity is also a device mapper target, but it works for RW partitions. It uses a HMAC for every block which is stored separately on trusted storage. On every write, the HMAC is updated. To improve performance, the checks are cached.
Linux Integrity subsystem extends the secure boot to user space. It works at the VFS level. It allows policy so that not every file needs to be trusted.
Measurements are used to remotely attest the system integrity. First it is collected when something is loaded. It is stored (added to a measurement list). If there is a TPM, that can collect the measurements and sign them, and typically it will lock the keys if it doesn’t work out. Finally, the signed measurement list can be sent over the network so you can remotely attest that the system was not compromised at that time.
The EVM (Extended Verification Module) protects file attributes against offline modification – especially relevant for the security attributes..
[It was becoming too complex for me…]