search

tock / elf2tab

Tool to create Tock Application Bundles from ELF files.
MIT License
15 stars 33 forks source link

Add support for adding credentials to a userspace binary #43

Closed phil-levis closed 2 years ago

phil-levis commented 2 years ago

Verifying the integrity of userspace binaries involves adding credentials footers. Adding credentials footers requires adding a header that distinguishes the end of the program binary (executable code) from the end of the userspace binary (the whole binary image including footers). This is necessary because footers are not covered by integrity.

This pull request:

  1. Adds the -sha256, -sha512, and -rsa4096 flags; each flag adds the corresponding footer. The RSA4096 footer uses a PKCS#1 v1.5 signature with SHA512.
  2. Adds support for a Program Header. A Program Header is an extended Main Header, which contains two additional fields. One indicates the offset within the binary at which code ends (and footers begin). The second indicates the version of the userspace binary. The version field allows supporting new versions of the same application. elf2tab now always inserts both a Program and a Main Header, the latter for backwards compatibility with older kernels.
bradjc commented 2 years ago

Just FYI this change seems to need a somewhat (?) new cargo. Originally I got:

cargo install --path .
  Installing elf2tab v0.10.0-dev (/Users/bradjc/git/elf2tab)
    Updating crates.io index
  Downloaded crypto-common v0.1.6
  Downloaded thiserror v1.0.31
  Downloaded typenum v1.15.0
  Downloaded simple_asn1 v0.6.2
  Downloaded proc-macro2 v1.0.40
  Downloaded num_threads v0.1.6
  Downloaded untrusted v0.7.1
  Downloaded cpufeatures v0.2.2
  Downloaded digest v0.10.3
  Downloaded thiserror-impl v1.0.31
  Downloaded spin v0.5.2
  Downloaded num-integer v0.1.45
  Downloaded num-bigint v0.4.3
  Downloaded time-macros v0.2.4
  Downloaded sha2 v0.10.2
  Downloaded block-buffer v0.10.2
  Downloaded num-traits v0.2.15
  Downloaded generic-array v0.14.5
  Downloaded unicode-ident v1.0.2
  Downloaded itoa v1.0.2
  Downloaded filetime v0.2.17
  Downloaded time v0.3.11
error: failed to compile `elf2tab v0.10.0-dev (/Users/bradjc/git/elf2tab)`, intermediate artifacts can be found at `/Users/bradjc/git/elf2tab/target`

Caused by:
  failed to parse manifest at `/Users/bradjc/.cargo/registry/src/github.com-1ecc6299db9ec823/time-0.3.11/Cargo.toml`

Caused by:
  feature `edition2021` is required

  this Cargo does not support nightly features, but if you
  switch to nightly channel you can add
  `cargo-features = ["edition2021"]` to enable this feature

I don't think this is a problem, just something to be aware of.

phil-levis commented 2 years ago

@bradjc I've removed the --program option and have Program Headers always included, as well as address your other comments.

bradjc commented 2 years ago

Might be helpful to document how to get an rsa key (what I did):

$ openssl genrsa -aes256 -out tockkey.private.pem 4096
$ openssl rsa -in tockkey.private.pem -outform der -out tockkey.private.der
$ openssl rsa -in tockkey.private.pem -outform der -pubout -out tockkey.public.der
phil-levis commented 2 years ago

Might be helpful to document how to get an rsa key (what I did):

$ openssl genrsa -aes256 -out tockkey.private.pem 4096
$ openssl rsa -in tockkey.private.pem -outform der -out tockkey.private.der
$ openssl rsa -in tockkey.private.pem -outform der -pubout -out tockkey.public.der

Yes, great point. What's the right place to document this?

bradjc commented 2 years ago

I added it to the elf2tab readme as well as more credential documentation.

I also added SHA384 support.

phil-levis commented 2 years ago

OK - look like this is good to go? Let's discuss at the core meeting today.

bradjc commented 2 years ago

I updated this to current master and added some new changes.

We should do another round of testing with the kernel PR, but I think we should merge this soon since we have the 1.10 release that most people can use.