Changeset View
Changeset View
Standalone View
Standalone View
share/man/man5/signed-elf.5
- This file was added.
| .\" Copyright (c) 2017 Eric McCorkle | |||||
| .\" All rights reserved. | |||||
| .\" | |||||
| .\" Redistribution and use in source and binary forms, with or without | |||||
| .\" modification, are permitted provided that the following conditions | |||||
| .\" are met: | |||||
| .\" 1. Redistributions of source code must retain the above copyright | |||||
| .\" notice, this list of conditions and the following disclaimer. | |||||
| .\" 2. Redistributions in binary form must reproduce the above copyright | |||||
| .\" notice, this list of conditions and the following disclaimer in the | |||||
| .\" documentation and/or other materials provided with the distribution. | |||||
| .\" | |||||
| .\" THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND | |||||
| .\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE | |||||
| .\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE | |||||
| .\" ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE | |||||
| .\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL | |||||
| .\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS | |||||
| .\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) | |||||
| .\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT | |||||
| .\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY | |||||
| .\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF | |||||
| .\" SUCH DAMAGE. | |||||
| .\" | |||||
| .\" $FreeBSD$ | |||||
| .\" | |||||
| .Dd April 24, 2017 | |||||
| .Dt SIGNED-ELF 5 | |||||
| .Os | |||||
| .Sh NAME | |||||
| .Nm signed-elf | |||||
| .Nd "cryptographically signed ELF binaries" | |||||
| .Sh DESCRIPTION | |||||
| Signed ELF binaries are files in the Executable Linkable Format | |||||
| .Pq Xr elf 5 | |||||
| that contain extra metadata bearing a cryptographic signature that | |||||
| allows the contents of the file to be verified against a public key. | |||||
| .Ss Format Specification | |||||
| The signed ELF format makes use of features intrinsic to the ELF file | |||||
| format to store signatures. The signature data for a signed ELF is | |||||
| stored in a section named | |||||
| .Sy .sign . | |||||
| The | |||||
| .Sy .sign | |||||
| section is similar in | |||||
| nature to the | |||||
| .Sy .comment | |||||
| section and typically will not be included in | |||||
| any loadable segment. The signature data itself is stored as a | |||||
| DER-encoded CMS detached signature, typically without metadata such | |||||
| as certificates and chains, MIME capabilities, attributes, or other | |||||
| such extras. The signature is computed in binary mode using the | |||||
| contents of the entire file, but with the entire | |||||
| .Sy .sign | |||||
| section | |||||
| containing zero data. | |||||
| .Ss Ciphers and Hashes | |||||
| The CMS format is designed to allow for a variable selection of | |||||
| ciphers. In order to maintain strong security properties, the signed | |||||
| ELF specification imposes the following restrictions on ciphers and | |||||
| hashes: | |||||
| .Bl -bullet -offset indent | |||||
| .It | |||||
| The allowed hash algorithms are as follows: SHA256, SHA384, SHA512, | |||||
| SHA3 (Keccak), Blake-2b, Skein, and Whirlpool. The default hash is | |||||
| SHA256. | |||||
| .It | |||||
| RSA digital signatures are allowed with key lengths of 4096 bits or higher | |||||
| .It | |||||
| ECDSA/EdDSA signatures are allowed for curves satisfying all of the | |||||
| safety properties described by the SafeCurves project (at the time of | |||||
| writing, this list consists of the following curves: M-221, E-222, | |||||
| Curve1174, Curve25519, E-382, M-383, Curve383187, Curve41417, | |||||
| Goldilocks-448, M-511, and E-521). | |||||
| .El | |||||
| .Pp | |||||
| Any signature which does not use an allowed hash and cipher will be | |||||
| rejected. | |||||
| .Pp | |||||
| These restrictions may be changed at a later date, but will generally | |||||
| progress in the direction of stronger security properties. | |||||
| .Ss Creation and Verification | |||||
| The procedure for generating a signature typically requires | |||||
| modification of the ELF file. The procedure is as follows: | |||||
| .Bl -enum -offset indent | |||||
| .It | |||||
| The size of the signature is calculated. (This requires that the | |||||
| signature size be invariant with respect to the data being signed- a | |||||
| property possessed by CMS detached signatures.) | |||||
| .It | |||||
| The | |||||
| .Sy .sign | |||||
| section is added and initialized to the proper size. (Often | |||||
| times this necessitates the creation of string table and section | |||||
| header entries and some file offsets may change as a result.) | |||||
| .It | |||||
| The | |||||
| .Sy .sign | |||||
| section is filled with zeros. | |||||
| .It | |||||
| The signature is computed using the entire file as input. | |||||
| .It | |||||
| The Signature is written into the | |||||
| .Sy .sign | |||||
| section in CMS detached | |||||
| format using the DER enconding. | |||||
| .El | |||||
| .Pp | |||||
| The verification procedure is as follows: | |||||
| .Bl -enum -offset indent | |||||
| .It | |||||
| The | |||||
| .Sy .sign | |||||
| section is located, and the CMS detached signature is loaded | |||||
| .It | |||||
| The | |||||
| .Sy .sign | |||||
| section is overwritten with zeros. | |||||
| .It | |||||
| The signature is verified using the entire file as input. | |||||
| .El | |||||
| .Ss Usage | |||||
| Signed ELF files are primarily intended to be verified by mechanisms such as | |||||
| .Xr loader 8 , | |||||
| .Xr kldload 8 , | |||||
| .Xr execve 2 , | |||||
| and similar mechanisms as part of a chain-of-trust security protocol | |||||
| designed to prevent tampering with executable files, shared libraries, | |||||
| kernel modules, and the like. As such, signed ELF files will almost | |||||
| always be of the executable or shared object variety, as these are | |||||
| typically not modified following their creation. While it is possible | |||||
| to sign archives and linkable objects in the same manner, it typically | |||||
| makes no sense to do so. The security properties of cryptographic | |||||
| signatures prevent even the slightest modification of the data they | |||||
| protect, and both linkable objects and archives are specifically | |||||
| designed to be modified and composed into final products. | |||||
| .Pp | |||||
| It should be noted, however, that some applications (often programming | |||||
| language runtime systems) are known to (ab)use linkable objects or | |||||
| archives in ways that more closely resemble the intended use of | |||||
| executable or shared objects: as a runtime-supported executable, as a | |||||
| kind of loadable module, or for even more exotic uses. In such cases, | |||||
| signing such files may well serve a useful purpose. | |||||
| .Sh CERTIFICATES | |||||
| Signed ELF files require public-key certificates for verification | |||||
| (note that new signatures can only be produced using the corresponding | |||||
| private key). The | |||||
| .Xr openssl 1 | |||||
| tool suite provides a number of utilities for creating and managing | |||||
| private keys and public-key certificates. | |||||
| .Pp | |||||
| A FreeBSD installation maintains a set of trusted public key | |||||
| certificates to serve as a trust root, and at least one signing key to | |||||
| serve as a trust root. The default location for these certificates | |||||
| and keys is | |||||
| .Pa /etc/trust | |||||
| with signing keys being stored in | |||||
| .Pa /etc/trust/priv | |||||
| and public key certificates in | |||||
| .Pa /etc/trust/certs | |||||
| (this allows differing permissions on the two directories), and with | |||||
| trust root keys and certificates being stored in a similar fashion | |||||
| under | |||||
| .Pa /etc/trust/root/priv | |||||
| and | |||||
| .Pa /etc/trust/root/certs. | |||||
| The default public and private keys use for signing locally-produced | |||||
| binaries are located at | |||||
| .Pa /etc/trust/priv/local.pem | |||||
| and | |||||
| .Pa /etc/trust/priv/local.pub.pem | |||||
| respectively. Additional public key certificates may be stored in | |||||
| .Pa /etc/trust/certs | |||||
| that have no corresponding private key. This can be used to grant | |||||
| trust to binaries produced by a third party. | |||||
| .Sh UTILITIES | |||||
| There are several ways of creating, modifying, and verifying signed | |||||
| ELF binaries. | |||||
| .Ss Preferred Method | |||||
| The preferred method for creating and verifying signed ELF files is the | |||||
| .Xr signelf 8 | |||||
| utility. (See the man page for usage details.) | |||||
| .Ss Signing with Binutils and OpenSSL | |||||
| Signed ELF files can also be created and verified using the | |||||
| .Xr objcopy 1 | |||||
| and | |||||
| .Xr openssl 1 | |||||
| utilities. This method can be used in cases where | |||||
| .Xr signelf 5 | |||||
| is not available for some reason, and can also be used to support | |||||
| signed ELF files on foreign operating systems. | |||||
| .Pp | |||||
| A signed ELF file can be created using | |||||
| .Xr objcopy 1 | |||||
| and | |||||
| .Xr openssl 1 | |||||
| with the following procedure: | |||||
| .Pp | |||||
| First, add the | |||||
| .Sy .sign | |||||
| section: | |||||
| .Pp | |||||
| .Dl "$ objcopy --add-section .sign=zeros myexe" | |||||
| .Pp | |||||
| Where | |||||
| .Pa zeros | |||||
| is a file exactly as large as a signature which contains zeros. Next, | |||||
| sign the binary: | |||||
| .Pp | |||||
| .Dl "$ openssl cms -sign -outform DER -md sha256 -binary -nosmimecap \\" | |||||
| .Dl " -nocerts -noattr -signer cert.pem \\" | |||||
| .Dl " -inkey key.pem -in myexe -out signature" | |||||
| .Pp | |||||
| Last, update the | |||||
| .Sy .sign | |||||
| section to contain the signature data: | |||||
| .Pp | |||||
| .Dl "$ objcopy --update-section .sign=signature myexe" | |||||
| .Pp | |||||
| .Ss Verification with Binutils and OpenSSL | |||||
| A signature can be verified with | |||||
| .Xr objcopy 1 | |||||
| and | |||||
| .Xr openssl 1 | |||||
| by the following procedure: | |||||
| .Pp | |||||
| First, extract the signature: | |||||
| .Pp | |||||
| .Dl "$ objcopy --update-section .sign=signature myexe" | |||||
| .Pp | |||||
| Now, zero out the signature: | |||||
| .Pp | |||||
| .Dl "$ objcopy --update-section .sign=zeros myexe myexe.tmp" | |||||
| .Pp | |||||
| Last, verify the signature: | |||||
| .Pp | |||||
| .Dl "$ openssl cms -verify -nointern -inform DER -binary \\" | |||||
| .Dl " -in signature -content signelf -certfile cert.pem \\" | |||||
| .Dl " -CApath /etc/trust/certs -out /dev/null" | |||||
| .Pp | |||||
| The check against the system trusted keys can be omitted as follows: | |||||
| .Pp | |||||
| .Dl "$ openssl cms -verify -nointern -noverify -inform DER -binary \\" | |||||
| .Dl " -in signature -content signelf -certfile cert.pem \\" | |||||
| .Dl " -out /dev/null" | |||||
| .Pp | |||||
| .Ss Deleting Signatures | |||||
| Lastly, signatures can be deleted from a file using the | |||||
| .Xr objcopy 3 | |||||
| utility: | |||||
| .Pp | |||||
| .Dl "$ objcopy -R .sign myexe" | |||||
| .Pp | |||||
| .Sh WARNINGS | |||||
| Any modification of a signed ELF binary- however slight -will cause | |||||
| signature verification to fail (as intended). Furthermore, due to the | |||||
| nature of the ELF format, signatures will likely be retained if a | |||||
| signed ELF binary is used as input to a tool such as | |||||
| .Xr objcopy 1 | |||||
| or similar utilities, which will result in an ELF binary containing a | |||||
| bad signature. | |||||
| .Pp | |||||
| It is therefore recommended to only sign executables and shared | |||||
| objects after at the end of all compilation steps. | |||||
| .Pp | |||||
| As of the time of writing, it is reasonably likely that quantum | |||||
| computing devices capable of attacking public-key ciphers will become | |||||
| available in the foreseeable future. Should this become a reality, the | |||||
| security of RSA- and ECC-based public key algorithms will be compromised. | |||||
| This has major implications for any systems utilizing ELF signatures (or | |||||
| public-key cryptography generally): namely that such systems should avoid | |||||
| hardwired or burned-in keys, that they should assume keys will be | |||||
| periodically changed, and that they should incorporate key expiration | |||||
| and revocation into their designs. Additionally, users should assume that | |||||
| the cipher suite will undergo significant changes to incorporate post-quantum | |||||
| ciphers and remove quantum-vulnerable ones. | |||||
| .Sh SEE ALSO | |||||
| .Xr trust-config 7 , | |||||
| .Xr elf 5 , | |||||
| .Xr signelf 5 , | |||||
| .Xr openssl 1 , | |||||
| .Xr cms 1 , | |||||
| .Xr objcopy 1 | |||||
| .Rs | |||||
| .%A Hewlett Packard | |||||
| .%B Elf-64 Object File Format | |||||
| .Re | |||||
| .Rs | |||||
| .%A Unix System Laboratories | |||||
| .%T Object Files | |||||
| .%B "Executable and Linking Format (ELF)" | |||||
| .Re | |||||
| .Rs | |||||
| .%A Internet Engineering Task Force (IETF) | |||||
| .%B RFC 2315 (CMS) | |||||
| .Re | |||||
| .Rs | |||||
| .%A Daniel J. Bernstein and Tanja Lange. | |||||
| .%T SafeCurves: choosing safe curves for elliptic-curve cryptography. | |||||
| .%B https://safecurves.cr.yp.to/ | |||||
| .Re | |||||
| .Sh HISTORY | |||||
| The signed ELF binary specification first appeared in | |||||
| .Fx 12.0 . | |||||
| .Sh AUTHORS | |||||
| This manual page was written by | |||||
| .An Eric L. McCorkle Aq Mt emc2@metricspace.net . | |||||