From 9eee620e59270f5fc78b515c0eedeb5654e1542f Mon Sep 17 00:00:00 2001 From: unforgivablesin Date: Thu, 6 Mar 2025 15:41:20 +0100 Subject: [PATCH 1/8] Adding "Setting up DM-Integrity article" --- .../posts/linux/Setting up DM-Integrity.md | 58 +++++++++++++++++++ 1 file changed, 58 insertions(+) create mode 100644 content/posts/linux/Setting up DM-Integrity.md diff --git a/content/posts/linux/Setting up DM-Integrity.md b/content/posts/linux/Setting up DM-Integrity.md new file mode 100644 index 0000000..0655f3f --- /dev/null +++ b/content/posts/linux/Setting up DM-Integrity.md @@ -0,0 +1,58 @@ +--- +title: "Setting up DM-Integrity" +date: 2025-06-03 +tags: ['Operating Systems', 'Linux', 'Security',] +author: Purpleseaotter +--- + +### Introduction + +--- + +DM-Integrity is a Linux kernel device-mapper target that provides block-level data integrity checking. To detect unauthorized changes or corruption on a block device. Unlike encryption, dm-integrity ensures data hasn’t been tampered with. When paired with LUKS, which uses dm-crypt for encryption, it can enhance security by adding authenticated encryption combining confidentiality and integrity. + +### Limitations + +--- + +However dm-integrity is limited to only protecting the data when it is at rest, any data written to the disk when the dm-integrity target is active (meaning the system has booted) will be picked up by dm-integrity and written immediately without validation. + +Another limitation of dm-integrity is it's inability to prevent rollback attacks. Imagine this scenario, someone steals your disk today, `February 24th 2025`. Now the attacker in `March 13th 2027` knows that there was a critical CVE in the OpenSSH daemon that allows unauthenticated remote code execution that was discovered a month prior, he can simply revert the disk of the victim, and when the non suspecting system boots their machine. The attacker can gain immediate access to the victim's machine because the old image still contains the vulnerable OpenSSH daemon version. Dm-integrity will happily verify that old data because it has been at rest, not corrupted or tampered with. + +The cryptsetup developer Milan Broz has made it clear [that the discard option for ssd trimming is not supported in AEAD mode](https://gitlab.com/cryptsetup/cryptsetup/-/issues/420). + +### Setup + +--- + +When you're setting up your Arch Linux machine and you want to make use of dm-integrity, set up your system as normal until you reach the step where you are required to set up your crypto disk, and use this cryptsetup command: + +```bash +cryptsetup luksFormat --type luks2 /dev/sdX --integrity hmac-sha256 --sector-size 4096 +``` + +We are setting a sane default of using hmac-sha256 for the integrity checking. Alternatively if you have very weak hardware that would struggle with hmac-sha256, you can also use crc32c. However this is non cryptographic and probably significantly weaker. + +When pacstrapping the system make sure you add in the cryptsetup package to install LUKS and by extension dm-integrity. The following command is a minimal base install example of what that would look like: + +```bash +pacstrap /mnt base linux linux-firmware sudo efibootmgr nano cryptsetup +``` + +When setting up a crypto disk with LUKS and dm-integrity make sure you don't forget to include the `encrypt` hook before `filesystems` in `/etc/mkinitcpio.conf`. You do not need to include a seperate hook for dm-integrity alone. + +The following steps are for Debian and Fedora, they both require a manual installation which can be done using a bootstrapping tool. For Debian this is `debootstrap` and on Fedora you can simply use `dnf`. + +For Debian I the steps are the same, apart from the fact you specifically need to load the `dm-integrity` and `dm-bufio` modules in `/etc/initramfs-tools/modules`. Just make sure to bootstrap your system correctly using `debootstrap`. An example would be this: + +```bash +debootstrap --variant=minbase stable /mnt/debian-minbase http://deb.debian.org/debian/ +``` + +If you want to install Fedora you will also have to bootstrap the system manually using `dnf`. You will have to load the module in the initramfs in `/etc/dracut.conf.d/dm-integrity.conf` and add `add_drivers+=" dm-integrity "`. An example for the DNF command would be: + +```bash +dnf --releasever=41 --installroot=/mnt/fedora groupinstall core +``` + +For additional information you should read other blog posts or instruction videos because bootstrapping a Linux distro is out of scope for this blog post. \ No newline at end of file From f6a3f8e19e4284e07a56fce4411d705972ded71e Mon Sep 17 00:00:00 2001 From: Tommy Date: Mon, 17 Mar 2025 01:15:06 -0700 Subject: [PATCH 2/8] Move content to the new layout --- .../index.md} | 0 1 file changed, 0 insertions(+), 0 deletions(-) rename content/posts/linux/{Setting up DM-Integrity.md => Setting up DM-Integrity/index.md} (100%) diff --git a/content/posts/linux/Setting up DM-Integrity.md b/content/posts/linux/Setting up DM-Integrity/index.md similarity index 100% rename from content/posts/linux/Setting up DM-Integrity.md rename to content/posts/linux/Setting up DM-Integrity/index.md From 55820e91c0ac20cc100af1d152b4d650edf1f213 Mon Sep 17 00:00:00 2001 From: Purpleseaotter Date: Wed, 17 Dec 2025 10:32:41 +0100 Subject: [PATCH 3/8] Update content/posts/linux/Setting up DM-Integrity/index.md Co-authored-by: Ganwtrs Signed-off-by: Purpleseaotter --- content/posts/linux/Setting up DM-Integrity/index.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/content/posts/linux/Setting up DM-Integrity/index.md b/content/posts/linux/Setting up DM-Integrity/index.md index 0655f3f..27a44c3 100644 --- a/content/posts/linux/Setting up DM-Integrity/index.md +++ b/content/posts/linux/Setting up DM-Integrity/index.md @@ -9,7 +9,7 @@ author: Purpleseaotter --- -DM-Integrity is a Linux kernel device-mapper target that provides block-level data integrity checking. To detect unauthorized changes or corruption on a block device. Unlike encryption, dm-integrity ensures data hasn’t been tampered with. When paired with LUKS, which uses dm-crypt for encryption, it can enhance security by adding authenticated encryption combining confidentiality and integrity. +DM-Integrity is a Linux kernel device-mapper target that provides block-level data integrity checking. This is to detect unauthorized changes or corruption on a block device. Unlike encryption, dm-integrity ensures data hasn’t been tampered with. When paired with LUKS, which uses dm-crypt for encryption, it can enhance security by adding authenticated encryption to combine confidentiality and integrity. ### Limitations From 4efaccbcc6d5c5d375b2d32f93dd80d0d996bf05 Mon Sep 17 00:00:00 2001 From: Purpleseaotter Date: Wed, 17 Dec 2025 10:33:04 +0100 Subject: [PATCH 4/8] Update content/posts/linux/Setting up DM-Integrity/index.md Co-authored-by: Ganwtrs Signed-off-by: Purpleseaotter --- content/posts/linux/Setting up DM-Integrity/index.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/content/posts/linux/Setting up DM-Integrity/index.md b/content/posts/linux/Setting up DM-Integrity/index.md index 27a44c3..334c67d 100644 --- a/content/posts/linux/Setting up DM-Integrity/index.md +++ b/content/posts/linux/Setting up DM-Integrity/index.md @@ -15,7 +15,7 @@ DM-Integrity is a Linux kernel device-mapper target that provides block-level da --- -However dm-integrity is limited to only protecting the data when it is at rest, any data written to the disk when the dm-integrity target is active (meaning the system has booted) will be picked up by dm-integrity and written immediately without validation. +However, dm-integrity is limited to only protecting the data when it is at rest, so any data written to the disk when the dm-integrity target is active (meaning the system has booted) will be picked up by dm-integrity and written immediately without validation. Another limitation of dm-integrity is it's inability to prevent rollback attacks. Imagine this scenario, someone steals your disk today, `February 24th 2025`. Now the attacker in `March 13th 2027` knows that there was a critical CVE in the OpenSSH daemon that allows unauthenticated remote code execution that was discovered a month prior, he can simply revert the disk of the victim, and when the non suspecting system boots their machine. The attacker can gain immediate access to the victim's machine because the old image still contains the vulnerable OpenSSH daemon version. Dm-integrity will happily verify that old data because it has been at rest, not corrupted or tampered with. From d92c15d5e439f37a6563e37de518dae133e5ca65 Mon Sep 17 00:00:00 2001 From: Purpleseaotter Date: Wed, 17 Dec 2025 10:33:14 +0100 Subject: [PATCH 5/8] Update content/posts/linux/Setting up DM-Integrity/index.md Co-authored-by: Ganwtrs Signed-off-by: Purpleseaotter --- content/posts/linux/Setting up DM-Integrity/index.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/content/posts/linux/Setting up DM-Integrity/index.md b/content/posts/linux/Setting up DM-Integrity/index.md index 334c67d..a288622 100644 --- a/content/posts/linux/Setting up DM-Integrity/index.md +++ b/content/posts/linux/Setting up DM-Integrity/index.md @@ -31,7 +31,7 @@ When you're setting up your Arch Linux machine and you want to make use of dm-in cryptsetup luksFormat --type luks2 /dev/sdX --integrity hmac-sha256 --sector-size 4096 ``` -We are setting a sane default of using hmac-sha256 for the integrity checking. Alternatively if you have very weak hardware that would struggle with hmac-sha256, you can also use crc32c. However this is non cryptographic and probably significantly weaker. +We are setting a sane default of using hmac-sha256 for the integrity checking. Alternatively, if you have very weak hardware that would struggle with hmac-sha256, you can also use crc32c. However, this is non cryptographic and likely significantly weaker. When pacstrapping the system make sure you add in the cryptsetup package to install LUKS and by extension dm-integrity. The following command is a minimal base install example of what that would look like: From e72204dd0fd64cf0e5efd221d7cc51ea03ce9082 Mon Sep 17 00:00:00 2001 From: Purpleseaotter Date: Wed, 17 Dec 2025 10:33:27 +0100 Subject: [PATCH 6/8] Update content/posts/linux/Setting up DM-Integrity/index.md Co-authored-by: Ganwtrs Signed-off-by: Purpleseaotter --- content/posts/linux/Setting up DM-Integrity/index.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/content/posts/linux/Setting up DM-Integrity/index.md b/content/posts/linux/Setting up DM-Integrity/index.md index a288622..2584f0f 100644 --- a/content/posts/linux/Setting up DM-Integrity/index.md +++ b/content/posts/linux/Setting up DM-Integrity/index.md @@ -33,7 +33,7 @@ cryptsetup luksFormat --type luks2 /dev/sdX --integrity hmac-sha256 --sector-siz We are setting a sane default of using hmac-sha256 for the integrity checking. Alternatively, if you have very weak hardware that would struggle with hmac-sha256, you can also use crc32c. However, this is non cryptographic and likely significantly weaker. -When pacstrapping the system make sure you add in the cryptsetup package to install LUKS and by extension dm-integrity. The following command is a minimal base install example of what that would look like: +When pacstrapping the system, make sure you add in the cryptsetup package to install LUKS (and by extension, dm-integrity). The following command is a minimal base install example of what that would look like: ```bash pacstrap /mnt base linux linux-firmware sudo efibootmgr nano cryptsetup From 7ef2ba00e613bb857928953dd0e85d9c38bb7081 Mon Sep 17 00:00:00 2001 From: Purpleseaotter Date: Wed, 17 Dec 2025 10:33:50 +0100 Subject: [PATCH 7/8] Update content/posts/linux/Setting up DM-Integrity/index.md Co-authored-by: Ganwtrs Signed-off-by: Purpleseaotter --- content/posts/linux/Setting up DM-Integrity/index.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/content/posts/linux/Setting up DM-Integrity/index.md b/content/posts/linux/Setting up DM-Integrity/index.md index 2584f0f..b5fe177 100644 --- a/content/posts/linux/Setting up DM-Integrity/index.md +++ b/content/posts/linux/Setting up DM-Integrity/index.md @@ -55,4 +55,4 @@ If you want to install Fedora you will also have to bootstrap the system manuall dnf --releasever=41 --installroot=/mnt/fedora groupinstall core ``` -For additional information you should read other blog posts or instruction videos because bootstrapping a Linux distro is out of scope for this blog post. \ No newline at end of file +For additional information, you should read other blog posts or instruction videos. Bootstrapping a Linux distro is out of scope for this blog post. \ No newline at end of file From 058999f73909ad5e2a93d280bb22dd9cb437d4e6 Mon Sep 17 00:00:00 2001 From: Purpleseaotter Date: Wed, 17 Dec 2025 10:35:11 +0100 Subject: [PATCH 8/8] Update content/posts/linux/Setting up DM-Integrity/index.md Co-authored-by: Ganwtrs Signed-off-by: Purpleseaotter --- content/posts/linux/Setting up DM-Integrity/index.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/content/posts/linux/Setting up DM-Integrity/index.md b/content/posts/linux/Setting up DM-Integrity/index.md index b5fe177..047123d 100644 --- a/content/posts/linux/Setting up DM-Integrity/index.md +++ b/content/posts/linux/Setting up DM-Integrity/index.md @@ -49,7 +49,7 @@ For Debian I the steps are the same, apart from the fact you specifically need t debootstrap --variant=minbase stable /mnt/debian-minbase http://deb.debian.org/debian/ ``` -If you want to install Fedora you will also have to bootstrap the system manually using `dnf`. You will have to load the module in the initramfs in `/etc/dracut.conf.d/dm-integrity.conf` and add `add_drivers+=" dm-integrity "`. An example for the DNF command would be: +If you want to install Fedora, you will also have to bootstrap the system manually using `dnf`. You will have to load the module in the initramfs in `/etc/dracut.conf.d/dm-integrity.conf` and add `add_drivers+=" dm-integrity "`. An example for the DNF command would be: ```bash dnf --releasever=41 --installroot=/mnt/fedora groupinstall core