dm-verity is a mechanism of the Linux kernel that allows for transparent integrity checking of data as they are read from block devices. It works by pre-generating a merkle tree of hashes for the target/data block device and then by supplying the root hash to the kernel during the mount operation. This enables a form of integrity checking which is "delayed" in the sense that checks are done by the kernel using the merkle tree and the root hash during individual block accesses, instead of having to hash and verify the entire block device before mounting; which is prohibited in some use cases (i.e during boot).

Snaps are mostly well-known as a packaging and distribution format for Linux applications but are also used in Ubuntu Core, which is Ubuntu's immutable OS variant, to ship core parts of the system such as the Linux kernel or the rootfs. Storage-wise, each snap is essentially a squashfs read-only file system which is mounted during its installation. While checks are already in place for verifying the integrity of snaps in use, we are looking into improving the existing mechanisms by allowing snaps to be mounted with dm-verity. This should allow for more performant integrity checking prior to use (or during boot in the case of Ubuntu Core) as well as continuous integrity checking during runtime. This talk will present some of our design challenges, a few interesting applications (i.e in secure boot and confidential computing) and the current state of the project.