header logo iot bzh

Cybersecurity & Open Source Software

We help you solve the growing complexity of your IoT Linux-based projects

Try redpesk®

 

November 18th, 2025

Ensuring file integrity and authenticity on Linux using a Hardware Security Module

The French conference ‘Capitole du Libre’ is held every year in Toulouse, France. It covers many topics related to free software, such as embedded systems, cloud, the Linux kernel, programming, and more. For the first time, IoT.bzh presented some of its work in progress on the use of the Linux kernel's fs-verity feature integrated into an HSM.


Link to the talk
Presentation's PDF version here


Ensuring data protection and authenticity is essential in any open-source and/or industrial context. The Linux kernel offers integrity verification features, particularly block-level mechanisms (via device-mapper) such as dm-verity, but these require the file system to be mounted as read-only. How can this mechanism be used in a Linux environment that requires read/write access?


Facing this challenge in an industrial project—where the goal was to verify and authenticate the configuration of critical Linux applications—we explored the possibility of performing this operation at the file system level. Available on ext4, f2fs, and soon XFS, the Linux kernel’s fs-verity feature verifies the integrity of one or more files without affecting the entire file system. For each file, fs-verity uses a hash tree known as a Merkle tree.


It is important to note that fs-verity does not protect against file spoofing (deletion and replacement with a different file). Ensuring file authenticity therefore becomes necessary, which can be achieved by adding signatures for each verity file.


We used the open-source softHSMv2 solution to demonstrate the feasibility of interfacing fs-verity with a Hardware Security Module (HSM), enabling the signing of the Merkle tree root hash for each file using RSA keys from the HSM via PKCS#11. This solution is easily reproducible and thus ideal for development needs, as it does not require dedicated hardware (softHSM is a software implementation of an HSM). Note that support for PKCS#11 tokens is only available starting from fs-verity-utils v1.5 (the userspace library used).


The second part of this presentation will explain how a trusted software environment like OP-TEE (Open Portable Trusted Execution Environment) can provide the same functionality as an HSM, using ARM TrustZone and a PKCS#11 Trusted Application (TA). Finally, there are also hardware components such as YubiHSM, Nitrokey HSMv2, or Pico HSM that can be integrated at a lower cost into industrial or open-source projects.