Digitally Signed Binaries w/ Kernel support, etc.

[Ivan Voras]

Roland Smith wrote:
> On Thu, Apr 03, 2008 at 01:46:39PM +0200, Ivan Voras wrote:
>> Roland Smith wrote:
>>> On Wed, Apr 02, 2008 at 03:09:59PM -0400, Forrest Aldrich wrote:
>>>> Does FreeBSD have support for digitally signed binary checking, similar to 
>>>> what Linux has with bsign and DigSig, where system binaries are signed and 
>>>> this signature is verified before being run in the kernel?
>>> If an attacker can modify binaries, he already has root privileges. In
>>> that case, what will stop him from creating a new pgp key and re-sign
>>> his doctered binaries?
>>>
>>>> This would be very useful to have to further tighen-down the system.
>>> As an alternative, on FreeBSD you can set the system immutable flag on
>>> binaries (see chflags(1)), and set the securelevel > 0. See
>>> init(8). Once this is set, not even root can undo this. You have to
>>> reboot to reset the securelevel to -1.
>> Signing binaries could be naturally tied in with securelevel, where some
>> securelevel (1?) would mean kernel no longer accepts new keys.
> 
> If you set the system immutable flag on the binaries, you cannot modify them at
> all at securelevel >0. Signing the binaries would be pointless in that case.

I think these are separate things. Modifying binaries is separate from
introducing new binaries. SCHG would prevent the former, but not the latter.

Of course, with the popularity of various scripting languages it's not
as useful as it could be on the first thought.

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 189 bytes
Desc: OpenPGP digital signature
Url : http://lists.freebsd.org/pipermail/freebsd-stable/attachments/20080404/17560310/signature.pgp