Over the last couple of months, we have been working to ensure that our virtualization environment is entirely trusted, from the boot loader, through the hypervisor and main kernel to the userland.  Why is the userland important?  Because modified userland means one can gain access to the hypervisor.  To protect against that, we have been working on a way to sign ELF images and check their signatures for validity by using a keyring inside the kernel.

Here is what we have going on, it is pretty awesome:

nenolod@mimoki:~$ ./signedelf
Hello world!
nenolod@mimoki:~$ ./modifiedelf
bash: ./modifiedelf: Permission denied
nenolod@mimoki:~$ ./unsignedelf
bash: ./unsignedelf: Permission denied
nenolod@mimoki:~$ dmesg | grep elf
[ 3106.217384] signed-elf: Allowing execution of /home/nenolod/signedelf due to VALID_SIGNATURE.
[ 3113.944013] signed-elf: Disallowing execution of /home/nenolod/modifiedelf due to INVALID_SIGNATURE.
[ 3113.944013] signed-elf: Trusted key is in keyring; but calculated checksum of binary does not match.
[ 3120.027148] signed-elf: Disallowing execution of /home/nenolod/unsignedelf due to UNSIGNED.

The plan is to upstream this work in the 2.6.38 merge window.  Right now, the trust policy is controlled through a sysctl.  This is just a preview of what is to come.

No, seriously, getting paid to hack on Linux is pretty awesome.

This entry was posted on Tuesday, August 24th, 2010 at 3:34 am and is filed under Uncategorized. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.