Android 4.4 brought on a lot of changes to the operating system in general terms, but one change to how the system reacts to perceived malware could have a ripple effect. When booting, Android 4.4 uses a device mapper (dm-verity) to reduce the risk of root kits on your OS. This new device mapper checks the filesystem storage, and attempts to detect modifications at the block level.

While aimed at nefarious systems, this is also the same way Android devices use custom ROMs. This verified boot could, by virtue of it’s structure, cause some issues with modifying your device. While google notes this is an experimental feature, the headlines don’t read as it being friendly to device modification.

Though Google doesn’t specifically say it will block rooting and flashing custom ROMs, the language in their page for dm-verity begs as many questions as it does answers. In part, Google’s explanation of dm-verity says “The dm-verity feature lets you look at a block device, the underlying storage layer of the file system, and determine if it matches its expected configuration.” Between detection and verification, just what is considered “expected configuration”? Is that our expectations, or Google’s?

Further complicating the matter is an explanation of who can change the kernel. In part, the page says ”…if rooting software compromises the system before the kernel comes up, it will retain that access. To mitigate this risk, most manufacturers verify the kernel using a key burned into the device. That key is not changeable once the device leaves the factory.” That apparently leaves us at the mercy of the carrier, if not Google’s interpretation of Android.


We’d like to think this is a method for carriers to secure their systems, rather than a blanket protocol for locking us out — or in. If shipped with this type of locked boot loader, it may effectively shut down custom ROMs like those from Paranoid Android or CyanogenMod for popular devices like the HTC One or Samsung Galaxy (anything). We’d also like to think that an unlocked bootloader would simply leave this protocol out, without changing much else. Still experimental, and a method that hasn’t shipped on any device yet, we’ll be sure to keep an eye on dm-verity and how it affects the customization landscape, moving forward.

VIA: Android Authority