Brussels / 1 & 2 February 2014


Integrity protection solutions for embedded systems

Runtime system integrity is protected by access control mechanisms. The Linux kernel provides Discretionary Access Control (DAC) and several Mandatory Access Control modules, such as SELinux, SMACK, Tomoyo, AppArmor. All of these assume trustworthiness of the access control related data. Integrity protection is required to ensure that offline modification of such data will not remain undetected. This presentation will summarize the different methods of achieving integrity protection at different layers, compare them and will show how to use them to build integrity protected embedded system.

This talk will present the current state and future of the VFS level Linux kernel Integrity Subsystem, which allows since 3.7 to build integrity protected system, and compare it with block-level integrity protection modules, such as dm-integrity and dv-verity. Presentation will also discuss secure boot support of the u-boot.


Dmitry Kasatkin