Nowadays, you hear more and more about kernel-level DM-verity protection, a security application that prevents the installation of custom ROMs. Here's a little taste of how it works:
Verified boot
Introduction
Android 4.4 and later releases support device verification at boot time via the optional device-mapper verity kernel feature, which provides easy visibility into individual devices that can be managed in blocks. The dm-verity would help to prevent recurring rootkits that may have root privileges or leak data from the device. With this experimental feature, Android users can be sure that when they boot their device, it is in the same state as the last time it was used.
Clever malware that has root privileges can hide from search engines and impersonate others. Software with root privileges is able to do this because it often has more privileges than the detector programs, making it able to evade them.
The dm-verity function can be used to examine the layer containing the file system of a block device and determine whether it matches the predefined configuration. It does this using a cryptographic hash function. Each block is associated (typically 4k) with an SHA 256 algorithm.
Since the hash values are stored in a tree structure, only the highest level "root" can check the other elements. Modifying each block is equivalent to breaking the cryptographic hash function. The figure below illustrates this type of structure.
Figure 1: dm-verity hash table
The public key is contained in the boot partition, which must be externally validated by the OEM. This key can be used to verify the hash trace and confirm that the device system partition is protected and intact.
Dm-verity prerequisites
Create a verified boot
To seriously reduce the risk, the kernel uses a key built into the device. For more details click Here.
Switching to block-based OTAs
In order to use dm-verify, block-based over-the-air (OTA) updates must be used, which ensures that all devices use the same system partition. For more details click Here.
Setting up dm-verity
After switching to block-based OTAs, it can be configured by installing the latest Android or factory upstream kernel and enabling dm-verity support, including setting the appropriate configuration values CONFIG_DM_VERITY.
When using the Android kernel, dm-verify is enabled. For more details click Here.
