Astra Linux Special Edition has a nice security feature “ELF Signature Check” that I would like to have for Whonix / Kicksecure too. All ELF binaries seem to be signed. No unsigned ELF binaries can be executed. Similar to Secure Boot but for all ELF binaries.
While Secure Boot in Debian by the time of writing verifies the bootloader signature, which verifies the kernel, which verifies kernel modules but then continues to execute unverified initrd and everything else. References, see these posts:
- enable Linux kernel gpg verification in grub and/or enable Secure Boot by default - #30 by Patrick
- Guaranteeing initramfs integrity during Secure Boot
Got access to Astra Linux Special Edition over SSH. Made a test. Copied /bin/nano to /bin/nano-test . Tried to execute nano-test . Success. Then edited a textual string inside /bin/nano-test . Tried to execute it again. Segmentation fault .
References what ELF signatures are:
- bsign(1) — bsign — Debian testing — Debian Manpages [archive]
- GitHub - digsig-ng/bsign-mirror: Git import of Debian bsign-0.4.5 sources, ELF executable signing tool. [archive]
- http://disec.sourceforge.net/ [archive]
- Debian Package Tracker [archive]
- https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=857626 [archive]
- Debian -- Error
Another test. Install croc [archive].
wget https://getcroc.schollz.com
mv index.html croc-installer
bash ./croc-installer
Installation was successful. Trying to execute it.
croc
That failed.
Segmentation fault
Systemd journal log showing DIGSIG error.
Could try to sign it.
bsign --sign /usr/local/bin/croc
But asks for passphrase which I don’t know or somehow add a new key if that is possible.
DigSig project stating it is unmaintained since 2009. I wonder what has become of it. It seems like Astra Linux took over maintenance of it?
sudo modinfo digsig_verif
output:
filename: /lib/modules/4.15.3-1-hardened/misc/digsig_verif.ko
author: DIGSIG Team. Rusbitech support@rusbitech.ru
description: Distributed Security Infrastructure Module
license: GPL
srcversion: CCFE23AF0D192900B8313F3
depends:
retpoline: Y
name: digsig_verif
vermagic: 4.15.3-1-hardened SMP mod_unload modversions
parm: dsi_cache_buckets:Number of cache buckets for signatures validations.
(int)
parm: elf_mode:Enforce Digsig restriction for elf (2=debug).
(int)
parm: xattr_mode:Enforce Digsig restriction for xattr (2=debug).
(int)
parm: ignore_xattr_keys:Ignore XATTR user keys.
(int)
parm: ignore_i_mode:Ignore files if (inode i_mode & ignore_i_mode).
(int)
parm: ignore_gost2001:Ignore obsolete GOST R34.10-2001 signatures
(int)
Also the bsign utility which last appeared in Debian jessie is still available in Astra Linux.
What happened to ELF binary signing? Has it just been abandoned, forgotten and is waiting to be re-discovered in the wake of upcoming development of Secure Boot?
The kernel still has documentation on digsig.
https://github.com/torvalds/linux/blob/master/Documentation/digsig.txt
Which mentions keyctl.
https://manpages.debian.org/buster/keyutils/keyctl.1.en.html
Still need to figure out if ELF binary t signing is still doable nowadays (in a more modern way, without reviving digsig by taking over maintenance of it.