Git-Mirrors/privsec.dev
1
0
Fork 0
mirror of https://github.com/PrivSec-dev/privsec.dev.git synced 2025-12-21 11:15:29 -05:00
Code Issues Projects Releases Packages Wiki Activity

Update content/posts/linux/Setting up DM-Integrity/index.md

Browse source 
Co-authored-by: Ganwtrs <morga.nwinters-99@aliasvault.net>
Signed-off-by: Purpleseaotter <github.bronco733@passinbox.com>
This commit is contained in:
Purpleseaotter 2025-12-17 10:33:04 +01:00 committed by GitHub
parent 55820e91c0
commit 4efaccbcc6
No known key found for this signature in database
GPG key ID: B5690EEEBB952194
1 changed files with 1 additions and 1 deletions
Download patch file Download diff file Expand all files Collapse all files

2
content/posts/linux/Setting up DM-Integrity/index.md
View file

@ -15,7 +15,7 @@ DM-Integrity is a Linux kernel device-mapper target that provides block-level da
--- ---
However dm-integrity is limited to only protecting the data when it is at rest, any data written to the disk when the dm-integrity target is active (meaning the system has booted) will be picked up by dm-integrity and written immediately without validation. However, dm-integrity is limited to only protecting the data when it is at rest, so any data written to the disk when the dm-integrity target is active (meaning the system has booted) will be picked up by dm-integrity and written immediately without validation.
Another limitation of dm-integrity is it's inability to prevent rollback attacks. Imagine this scenario, someone steals your disk today, `February 24th 2025`. Now the attacker in `March 13th 2027` knows that there was a critical CVE in the OpenSSH daemon that allows unauthenticated remote code execution that was discovered a month prior, he can simply revert the disk of the victim, and when the non suspecting system boots their machine. The attacker can gain immediate access to the victim's machine because the old image still contains the vulnerable OpenSSH daemon version. Dm-integrity will happily verify that old data because it has been at rest, not corrupted or tampered with. Another limitation of dm-integrity is it's inability to prevent rollback attacks. Imagine this scenario, someone steals your disk today, `February 24th 2025`. Now the attacker in `March 13th 2027` knows that there was a critical CVE in the OpenSSH daemon that allows unauthenticated remote code execution that was discovered a month prior, he can simply revert the disk of the victim, and when the non suspecting system boots their machine. The attacker can gain immediate access to the victim's machine because the old image still contains the vulnerable OpenSSH daemon version. Dm-integrity will happily verify that old data because it has been at rest, not corrupted or tampered with.