Linux is compiled from open-source and thousands of developers would spot any malicious source code. However many Linux users dual boot Windows and malware / spyware / "spook"ware (CIA) software could hack the compiled binaries of Linux after a clean version was installed.
The solution I think is to run a hash total on Linux Kernel binaries immediately after an update is installed, ie on 4.4.0-63-generic.
The question is which files need to be included? ie /boot/4.4.0-63-generic or more than that?
After the hash total is generated a cron job can be run monthly, weekly or daily to regenerate the hash total and compare it to the original version to ensure it hasn't changed. If the hash totals don't match an infection has occurred and a clean kernel needs to be reinstalled.
Edit 1 The answers so far are more like comments. Those answers and the comments below seem to say "The CIA is too smart and too rich to protect yourself so don't bother trying". If I read that right then all the answers might as well be written by one the CIA, NSA, MI6 or Mossad paid trolls or someone on spook payroll. An analogy would be "Your neighbourhood criminals are too smart and sophisticated. They watch your house and learn your habits. There is no point locking your doors or installing an alarm system."
Someone else says once you reboot with Windows the password you used to encrypt your hash totals can be read by spyware. I doubt that because Windows RAM footprint is larger than Linux's RAM footprint and loading windows would wipe out any valuable searchable RAM Linux may have left behind. Besides a simple 10 second power off would erase all RAM.
At the opposite end of the spectrum someone suggested "Don't use Windows". Um… no I won't hide in fear and avoid the platforms I need to use when I need to use them. It's a super fast laptop with a hybrid nVidia graphics and when it's time for Windows gaming it will be used as such.
- This is more of a how would you do it, but with kernel update you would obviously need to rerun the hash, to create a new one. But what
if you forgot to rerun it, what would happen then?
With a kernel update an entirely new kernel is installed to /boot. If you forget to run the job to create new hash totals then the cron job that compares totals will give you an error the same way as if someone had modified kernel binaries behind your back.
The actual design of scripts and encryption of hash totals comes later. We are putting the cart in front of the horse. The fist step is to identify what needs to be protected. It's NAA (Not An Answer) to post questions on "how would you do it?" embedded in an answer.
Partially answering my question in addition to running hash totals on Kernel images, selected drivers should be included. Specifically I'm thinking of the one where they can turn off power to webcam led's giving the illusion they are turned off and then activating the camera. Something similar with mic's perhaps?
Removing all speculation on whether you should or should not monitor unauthorized modifications to your kernel space–what binaries should be protected from external tampering?
Best Answer
The only way I see to avoid this scenario is to avoid dual-boot: get rid of Windows. Of course, if you think the CIA can't install malware that will hide in a desktop/laptop Linux system, you're not paranoid enough...