signed elf environment on linux, or i love my job

Over the last couple of months, we have been working to ensure that our virtualization environment is entirely trusted, from the boot loader, through the hypervisor and main kernel to the userland.  Why is the userland important?  Because modified userland means one can gain access to the hypervisor.  To protect against that, we have been working on a way to sign ELF images and check their signatures for validity by using a keyring inside the kernel.

Here is what we have going on, it is pretty awesome:

nenolod@mimoki:~$ ./signedelf
Hello world!
nenolod@mimoki:~$ ./modifiedelf
bash: ./modifiedelf: Permission denied
nenolod@mimoki:~$ ./unsignedelf
bash: ./unsignedelf: Permission denied
nenolod@mimoki:~$ dmesg | grep elf
[ 3106.217384] signed-elf: Allowing execution of /home/nenolod/signedelf due to VALID_SIGNATURE.
[ 3113.944013] signed-elf: Disallowing execution of /home/nenolod/modifiedelf due to INVALID_SIGNATURE.
[ 3113.944013] signed-elf: Trusted key is in keyring; but calculated checksum of binary does not match.
[ 3120.027148] signed-elf: Disallowing execution of /home/nenolod/unsignedelf due to UNSIGNED.

The plan is to upstream this work in the 2.6.38 merge window.  Right now, the trust policy is controlled through a sysctl.  This is just a preview of what is to come. :)

No, seriously, getting paid to hack on Linux is pretty awesome.

3 Responses to “signed elf environment on linux, or i love my job”

  1. stribika says:

    That sounds good. It is nice to see something like this because I think linux is pretty bad at protecting users from their own programs (it only works well if the users are different).

    Can you control which executables can do what based on who signed it? Or something like “root can only run binaries signed by X, other users can run stuff signed by X or Y and bob can run anything”. Can an unprivileged user set what he wants to run or is it only possible for root? What about debugging? Can a process signed by A debug (ptrace) a process signed by B?

  2. zman says:

    Very interesting, this is a feature I have thought about for quite some time now.

  3. huggyface says:

    If you are able to talk about it… How does your solution compare to DigSig?