Date: Mon, 24 Apr 2017 19:38:02 -0400 From: Eric McCorkle <eric@metricspace.net> To: Shawn Webb <shawn.webb@hardenedbsd.org> Cc: "freebsd-hackers@freebsd.org" <freebsd-hackers@FreeBSD.org>, freebsd-security@freebsd.org Subject: Re: Proposal for a design for signed kernel/modules/etc Message-ID: <3279bd55-61ca-f46b-b01e-e1167279f43b@metricspace.net> In-Reply-To: <0943546b-2dcd-597b-e000-38926e55bc1d@metricspace.net> References: <6f6b47ed-84e0-e4c0-9df5-350620cff45b@metricspace.net> <20170327183735.uokjhjaafkawc2id@mutt-hbsd> <0943546b-2dcd-597b-e000-38926e55bc1d@metricspace.net>
next in thread | previous in thread | raw e-mail | index | archive | help
This is an OpenPGP/MIME signed message (RFC 4880 and 3156) --NXKU5otAgl5if5joOeIffhsUh4JQlahdG Content-Type: multipart/mixed; boundary="HSPCsW02Won5INu917a2G509jcNFx47sm"; protected-headers="v1" From: Eric McCorkle <eric@metricspace.net> To: Shawn Webb <shawn.webb@hardenedbsd.org> Cc: "freebsd-hackers@freebsd.org" <freebsd-hackers@FreeBSD.org>, freebsd-security@freebsd.org Message-ID: <3279bd55-61ca-f46b-b01e-e1167279f43b@metricspace.net> Subject: Re: Proposal for a design for signed kernel/modules/etc References: <6f6b47ed-84e0-e4c0-9df5-350620cff45b@metricspace.net> <20170327183735.uokjhjaafkawc2id@mutt-hbsd> <0943546b-2dcd-597b-e000-38926e55bc1d@metricspace.net> In-Reply-To: <0943546b-2dcd-597b-e000-38926e55bc1d@metricspace.net> --HSPCsW02Won5INu917a2G509jcNFx47sm Content-Type: text/plain; charset=windows-1252 Content-Transfer-Encoding: quoted-printable On 03/27/2017 15:53, Eric McCorkle wrote: > On 03/27/2017 14:37, Shawn Webb wrote: >> Hey Eric, >> >> Thank you for writing this! ELF binary signing has been on my >> ever-growing list of things to research and develop. If you'd like hel= p, >> please let me know. >=20 > I'll probably spin up a branch on my github in the near future. I've gotten an implementation of the signelf utility working well enough to sign some binaries. You can check it out yourself here: https://github.com/emc2/freebsd/tree/elf_signing I also fixed two bugs in libelf in the process :D However, that means you'll need to build and install libelf from the repo. The utility fails when signing files that already have a signature, and verification is unimplemented at this point. But at least you can get a signed binary. --HSPCsW02Won5INu917a2G509jcNFx47sm-- --NXKU5otAgl5if5joOeIffhsUh4JQlahdG Content-Type: application/pgp-signature; name="signature.asc" Content-Description: OpenPGP digital signature Content-Disposition: attachment; filename="signature.asc" -----BEGIN PGP SIGNATURE----- iQIzBAEBCAAdFiEEzzhiNNveVG6nWjcH1w0wQIFco2cFAlj+jFoACgkQ1w0wQIFc o2fZ/hAAujpdbrKIpRnv2zGamZqIIwfa1GUfuS7qmTMfkr3JCoI9xC4od3qsR6L0 +4rOSTJJt9ERcLttq23P7RaTlyN7Dl7eN/tFig7Xul2d14XsroQAonpXANudmlPi FipagEX+u1pTpBHBTARi9YEAJiesJRXzb1e4NZml/7PHeOb95gyYXCE9YxapdCqo wo5XB3cHbU4MKrwg65D2czDF2OOWbM+qe9T7VLnoRL6UtZtBTuZaidlAdXspnzof g3rd+pNObPXpXuXNVDqfnjsMc0gfwd3kA7lsIaXx6Jo+GLbjxjIrWT3Y5JBRf36z De1id855UO48rOLmX8QXTy2vdsMy9u9S4RPweF25SOfwiNHxODl9jTes4jd57FyJ O4/hRJgwwQvEmHGd2J9E9aBcAYcdlvePNloTxQzrp7YWmdMGAZrtsvCSRRRmRgA7 +UBhYwayeK7x93Xw/xfGjcnko6xWRrg1we+8OX3GWD2IuE4/rPiIT91bb9CW/y59 xu89vu33EYKgDfMZA/aZRYshwggMEL4XtLbFeH/hmng8o4aqWkyp8BHO2PW8e/+f MlXu497N0If3NBRq85WMMYg3qJIrbR6nmuE+DTwcH5Od4FMzkejUU1T6menXoXXW 1mCplgv5d/72voCZ7zcBfhVE2tQQS/9Z+7ed8ZUNWNHOklL5blo= =U2gt -----END PGP SIGNATURE----- --NXKU5otAgl5if5joOeIffhsUh4JQlahdG--
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?3279bd55-61ca-f46b-b01e-e1167279f43b>