Release DigSig 0.1: LSM module checking digital signatures before loading the binaries

From: Makan Pourzandi (Makan.Pourzandiat_private)
Date: Wed Sep 17 2003 - 08:47:40 PDT

  • Next message: Gar Talbott: "Tokyo, 40 Stand up to that interest"

    Release of digsig.0.1
    We implemented a kernel module using LSM hooks for 2.5.66
    which checks signatures before running a binary. 
    The main goal is to insert digital signatures inside the ELF binary
    and verify this signature before loading the binary.
    The code is available from:,
    download digsig-0.1.
    It has been added to DSI's CVS. In order to simplify its use, it is
    available either as part of the DSI package, or in a standalone
    version independently of DSI. Some dsi-based source code files are
    still in the independant package. However, the module is independent
    from DSI and you don't need to download the whole dsi tar ball to play
    with the digsig module (even if we'll be more than happy to have your
    feedback about dsi project :-)).
    Our approach has been to use the existing solutions like gpg and bsign
    rather than reinventing the whole thing from scratch.
    However, in order to reduce the overhead in the kernel, we took only the
    minimum code necessary from GPG. We took only the MPI (Multi Precision
    Integer) source code and the RSA crypto source code. This helped much
    to reduce the amount of code imported to the kernel in sourc code of
    the original (only 1/10 of the original gnupg 1.2.2 sourc code has
    been imported to the kernel module). On the other hand, we avoided
    OpenSSL source code for the fact that the licensing was not clear to
    us. We did some tests at user level and found out that OpenSSL is 4
    times faster than GPG regarding RSA verification. As a future
    direction, we plan to clarify this licensing issue and use OpenSSL
    instead of GPG.
    Linux OS kernel 2.5.66 or  higher.
    Bsign version
    0.4.5. (
    GPG 1.2.2 or higher.
    This is release 0.1. We have done some benchmarks.
    We ran lmbench on a Pentium IV, 2.4 GHz, 500 mega bytes of memory,
    running Linux 2.5.66. Our benchmarks show that the execution time
    (exec function call) multiplies by a factor of 4 when the module is
    loaded (no changes for fork call, as the binary is not loaded into
    A Very simple scenraio to show how to use it  
    1) Generate gpg key and export your public key in order to use it for
     signature verification.
    $gpg --gen-key
    => careful generate RSA key
    $gpg --export >>
    2) Sign your binaries using Bsign
    Before using bsign to sign all your binaries, try out with a simple
    $cp `which ps` ps-test
    $bsign -s ps-test // sign the binary
    $bsign -v ps-test // be sure that the signature is valid  
    3) Make the digsig module
     From ./digsig, do make -C /usr/src/linux-2.5.66 SUBDIRS=$PWD modules. 
    You need rw acess to /usr/src/linux-2.5.66.
    CAREFULL: we advice you to compile the module in debug mode at your
    first tries (see -DDSI_DEBUG -DDSI_DIGSIG_DEBUG in the Makefile). In
    this mode, the module verifies the signatures but does not enforce the
    security (if not any signature present in your binary, you'll have a
    message in /var/log/messages but the execution is not
    aborted.). However, the execution of the bianaries with invalid
    signatures is aborted. Once, you're sure of your binary signature
    procedure you can recompile the whole on non-debug mode.
    4) load digsig, use the public key exported in step 1 as argument
    insmod digsig_verif.ko pkey_file=/usr/src/digsig/
    5) In debug mode:
    $tail -f /var/log/messages
    Sep 16 15:49:13 colby kernel: DSI-LSM MODULE - binary is /bin/ps
    Sep 16 15:49:16 colby kernel: DSI-LSM MODULE - binary is ./ps-makan
    Sep 16 15:49:16 colby kernel: DSI-LSM MODULE - dsi_bprm_compute_creds: 
    Found signature section
    Sep 16 15:49:16 colby kernel: DSI-LSM MODULE - dsi_bprm_compute_creds: 
    Signature verification successful
    6) In restrictive mode, normal mode
    You need to use bsign to sign all binaries that you want to run in
    normal mode.
    // signed binary
    [lmcmpou@reblochon lmcmpou]$ ps
      PID TTY          TIME CMD
     6897 pts/2    00:00:00 bash
     6941 pts/2    00:00:00 ps
    // not signed binary
    [lmcmpou@reblochon lmcmpou]$ ./ps-makan-1
    bash: ./ps-makan: cannot execute binary file
    // binary with wrong signature
    [lmcmpou@reblochon lmcmpou]$ ./ps-makan-2
    bash: ./ps-makan-colby: Operation not permitted
    This work has been done by (alphabetical order)
    A Apvrille (axelle.apvrilleat_private),
    D Gordon (davidgordoncaat_private),  
    M Pourzandi (makan.pourzandiat_private),
    V Roy (vincent.royat_private).
    Special merits go to David who wrote big chunks of the source code.
    Thanks to Marc Singer who helped us with the use of Bsign.
    Best Regards,
    Makan Pourzandi

    This archive was generated by hypermail 2b30 : Wed Sep 17 2003 - 08:41:52 PDT