Introduction

Trusted boot is a machinism int the bootloader of operating system, which provide the authentication of underlying code and build the root of trust chain. 

In the context of the boot process, trust means that an embedded module executes only the boot code, operating system, and application code. The only way to guarantee trust in this chain is to ensure that all code -- from the very first instruction that a processor executes -- is authentic and specifically intended by the system integrator to execute on that processor.

Cryptography in the form of encryption and digital signatures is an essential component for establishing trust and preventing a malicious actor from modifying, adding, or replacing authentic code. While encryption ensures confidentiality to prevent prying eyes from understanding the code, it does not guarantee that the code comes from an authorized source and has not been tampered with in some way(authentication and intergrity). So we need digital signature to provide autentication.

Digital Signature

Signing

Verification

Implementation

The basic principle is to use the digital signature to sign the whole content of root(OS) and store that value.When booting starts, verify the content with the sigature.

dm-verity(Android)

An Introduction to dm-verity on Android | Kynetics