Archive for August, 2010

libamz and amzdl

Tuesday, August 31st, 2010

Due to frustrations with the amazon mp3 store’s mandatory (well, for albums anyway) download client not being installable on Fedora 14, I have reverse engineered the AMZ file format and am working on a library and download tool for the AMZ files distributed by Amazon.  This code is in under the ISC license and will allow you to download from amazonmp3 anywhere that glib and libsoup work.

Note: This does not allow you to get MP3s for free.  It only allows you to download MP3s you have bought, as you have to have proof of purchase (e.g. the AMZ file that they give you).

I intend to write a GTK+ frontend soonish, but a usable commandline client was better than nothing.  You may download the code from my mercurial repository by doing:

$ hg clone
$ cd libamz
$ sh
$ ./configure
$ make
$ sudo make install

You can then use amzdecrypt to view the raw underlying XSPF playlist, amzls to view a track listing and amzdl to download the music referenced by the AMZ file.

Have fun!

signed elf environment on linux, or i love my job

Tuesday, August 24th, 2010

Over the last couple of months, we have been working to ensure that our virtualization environment is entirely trusted, from the boot loader, through the hypervisor and main kernel to the userland.  Why is the userland important?  Because modified userland means one can gain access to the hypervisor.  To protect against that, we have been working on a way to sign ELF images and check their signatures for validity by using a keyring inside the kernel.

Here is what we have going on, it is pretty awesome:

nenolod@mimoki:~$ ./signedelf
Hello world!
nenolod@mimoki:~$ ./modifiedelf
bash: ./modifiedelf: Permission denied
nenolod@mimoki:~$ ./unsignedelf
bash: ./unsignedelf: Permission denied
nenolod@mimoki:~$ dmesg | grep elf
[ 3106.217384] signed-elf: Allowing execution of /home/nenolod/signedelf due to VALID_SIGNATURE.
[ 3113.944013] signed-elf: Disallowing execution of /home/nenolod/modifiedelf due to INVALID_SIGNATURE.
[ 3113.944013] signed-elf: Trusted key is in keyring; but calculated checksum of binary does not match.
[ 3120.027148] signed-elf: Disallowing execution of /home/nenolod/unsignedelf due to UNSIGNED.

The plan is to upstream this work in the 2.6.38 merge window.  Right now, the trust policy is controlled through a sysctl.  This is just a preview of what is to come. :)

No, seriously, getting paid to hack on Linux is pretty awesome.

on the topic of atheme trademarks and enforcement…

Saturday, August 14th, 2010

The purpose of using a specific name behind a project is so that people identify with that project’s identity in an effective way.

Recently there has been some developments involving SorceryNet making a fork of the charybdis IRC server implementation.  This is fine, of course, the license allows it, and they renamed it to SorIRCd as would be the standard procedure in matters like these, which is fine.

However, now they wish to add back the Charybdis string in the version output.  There are ways that this can be done where it does not infringe on our rights as holder of the charybdis name.  But no…

Here is how they intend to set their version string:


In and of itself, this is mostly OK, but it raises some questions about Charybdis: What is charybdis? Is it a patchset to SorIRCd? The fact that the second question is raised makes it an obvious infringement.

This leaves me somewhat concerned as there is an obvious infringement of the charybdis name going on, and it may result in actual confusion.  Since the coder is an Anope developer, maybe I ought to just tack on -Anope2.0 to the end of Atheme’s version string and see what they say about it.  Maybe they will get my point then…