On Mon, Jan 30, 2017 at 04:47:13PM +1100, Stewart Smith wrote:
> dm-verity (a device-mapper target taht cryptographically verifies each
> filesystem block) could be a way to very easily get most of what's
> needed here.
> 
> https://lwn.net/Articles/459420/
> 
> https://source.android.com/security/verifiedboot/
> 

Any ideas on how nicely that plays with mtd/ubi?  I don't see anything
about it.  I do see some dm-verity presentations claiming that IMA is
slow and dm-verity is much faster.

We should have all code in a SquashFS image anyhow.  Signing / verifying
that whole image might be reasonable as well.

-- 
Patrick Williams