Digitally Signed Binaries w/ Kernel support, etc.

Roland Smith rsmith at xs4all.nl
Thu Apr 3 16:41:11 UTC 2008


On Thu, Apr 03, 2008 at 01:46:39PM +0200, Ivan Voras wrote:
> Roland Smith wrote:
> > On Wed, Apr 02, 2008 at 03:09:59PM -0400, Forrest Aldrich wrote:
> >> Does FreeBSD have support for digitally signed binary checking, similar to 
> >> what Linux has with bsign and DigSig, where system binaries are signed and 
> >> this signature is verified before being run in the kernel?
> > 
> > If an attacker can modify binaries, he already has root privileges. In
> > that case, what will stop him from creating a new pgp key and re-sign
> > his doctered binaries?
> > 
> >> This would be very useful to have to further tighen-down the system.
> > 
> > As an alternative, on FreeBSD you can set the system immutable flag on
> > binaries (see chflags(1)), and set the securelevel > 0. See
> > init(8). Once this is set, not even root can undo this. You have to
> > reboot to reset the securelevel to -1.
> 
> Signing binaries could be naturally tied in with securelevel, where some
> securelevel (1?) would mean kernel no longer accepts new keys.

If you set the system immutable flag on the binaries, you cannot modify them at
all at securelevel >0. Signing the binaries would be pointless in that case.

Roland
-- 
R.F.Smith                                   http://www.xs4all.nl/~rsmith/
[plain text _non-HTML_ PGP/GnuPG encrypted/signed email much appreciated]
pgp: 1A2B 477F 9970 BA3C 2914  B7CE 1277 EFB0 C321 A725 (KeyID: C321A725)
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 195 bytes
Desc: not available
Url : http://lists.freebsd.org/pipermail/freebsd-stable/attachments/20080403/058422b5/attachment.pgp


More information about the freebsd-stable mailing list