From 4efaccbcc6d5c5d375b2d32f93dd80d0d996bf05 Mon Sep 17 00:00:00 2001 From: Purpleseaotter Date: Wed, 17 Dec 2025 10:33:04 +0100 Subject: [PATCH] Update content/posts/linux/Setting up DM-Integrity/index.md Co-authored-by: Ganwtrs Signed-off-by: Purpleseaotter --- content/posts/linux/Setting up DM-Integrity/index.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/content/posts/linux/Setting up DM-Integrity/index.md b/content/posts/linux/Setting up DM-Integrity/index.md index 27a44c3..334c67d 100644 --- a/content/posts/linux/Setting up DM-Integrity/index.md +++ b/content/posts/linux/Setting up DM-Integrity/index.md @@ -15,7 +15,7 @@ DM-Integrity is a Linux kernel device-mapper target that provides block-level da --- -However dm-integrity is limited to only protecting the data when it is at rest, any data written to the disk when the dm-integrity target is active (meaning the system has booted) will be picked up by dm-integrity and written immediately without validation. +However, dm-integrity is limited to only protecting the data when it is at rest, so any data written to the disk when the dm-integrity target is active (meaning the system has booted) will be picked up by dm-integrity and written immediately without validation. Another limitation of dm-integrity is it's inability to prevent rollback attacks. Imagine this scenario, someone steals your disk today, `February 24th 2025`. Now the attacker in `March 13th 2027` knows that there was a critical CVE in the OpenSSH daemon that allows unauthenticated remote code execution that was discovered a month prior, he can simply revert the disk of the victim, and when the non suspecting system boots their machine. The attacker can gain immediate access to the victim's machine because the old image still contains the vulnerable OpenSSH daemon version. Dm-integrity will happily verify that old data because it has been at rest, not corrupted or tampered with.