I have been reading this interesting link https://news.ycombinator.com/item?id=13741625
Where I have come across the word 'block level signature'. What does exactly block level signature means?.
Any pointers much appreciable.
The discussion is about OTA update that allows you to upgrade an entire disk (or firmware) image. This image will be made up of blocks.
There will likely also be a file system on top of these blocks, so that some of the blocks will make up files, and others will make up the file system metadata and perhaps other things.
The way I read it, block level signature in this context means signing the entire disk image (i.e. all of the blocks). This is in contrast to signing the files that are part of the image. An analogy would be signing all of the blocks of your hard-drive as opposed to signing each of the individual files on your disk.
The discussion makes the argument that:
Signing an archive would probably be good enough for many cases. Block level is a bit simpler (all or nothing) and thus less risk of mixing with unsigned parts (sideloading attacks).
For security-sensitive embedded devices (e.g. payment terminals), block level signatures would allow hardware verification during boot as well (1st stage bootloader verifies 2nd stage, then kernel, etc.) if designed correctly.
And indeed, if you want to sign the files that are part of the image, then you will need to parse the file system which typically is quite complex and error prone to implement. Reading the entire image at the block level and calculating the signature is far easier.