DigSig2 status

Proof of Concept stage

• Support for detached signatures only
• No cache, no revoking, etc
• File fully read to memory before validation
• Simple tools that allow only basic testing

How-To

• Userspace:
  • Build target filesystem and mount it locally
  • Clone and build tools
  • Use keys.sh to generate CA and signing keys
  • Use sign tool to sign binaries:

./sign signcert.crt signcert.key /srv/nfs/sid/lib/x86_64-linux-gnu/ld-2.27.so /srv/nfs/sid/lib/x86_64-linux-gnu/ld-2.27.so.der
./sign signcert.crt signcert.key /srv/nfs/sid/lib/x86_64-linux-gnu/libc-2.27.so /srv/nfs/sid/lib/x86_64-linux-gnu/libc-2.27.so.der
./sign signcert.crt signcert.key /srv/nfs/sid/lib/x86_64-linux-gnu/libdl-2.27.so /srv/nfs/sid/lib/x86_64-linux-gnu/libdl-2.27.so.der
./sign signcert.crt signcert.key /srv/nfs/sid/lib/x86_64-linux-gnu/libtinfo.so.5.9 /srv/nfs/sid/lib/x86_64-linux-gnu/libtinfo.so.5.9.der
./sign signcert.crt signcert.key /srv/nfs/sid/bin/dash /srv/nfs/sid/bin/dash.der
./sign signcert.crt signcert.key /srv/nfs/sid/bin/bash /srv/nfs/sid/bin/bash.der
./sign signcert.crt signcert.key /srv/nfs/sid/bin/sash /srv/nfs/sid/bin/sash.der

• Kernel:
  • Use modified kernel
  • Enable CONFIG_SECURITY_DIGSIG2
  • Pass path to ca.crt as CONFIG_DIGSIG2_TRUSTED_KEYS
  • Pass security=digsig init=/bin/bash as boot parameters
  • Signed binaries and libraries will work. Unsigned ones will segfault