Does linux support signed binaries?

Question

I am looking for something similar to what iOS supports. Does it exist in linux?

With a secure boot (based in hardware chain of trust), doesn't it make sense to have signed binaries for security? Actually, if I have an opportunity to do signed binaries or add SElinux policies to all services and contain them as much as possible which one would be a bigger ROI in terms of security?

I am not saying they are used for the same purpose but just at a high level which one would you do first, if one has to prioritize.

Your options come down to be careful about what gets installed - check hashes of downloaded software - and use something like OSSEC to monitor file integrity after installation. — crovers, Oct 03 '16 at 20:47
For information, since I don't know whether your requirement is using a free Unix-like system or specifically Linux, NetBSD should support such a feature, see [Veriexec](https://wiki.netbsd.org/veriexec/). — WhiteWinterWolf, Oct 03 '16 at 21:13

score 10 · Answer 1 · edited Nov 21 '18 at 11:36

10

If you're looking for signed binaries you may find elfsign and elfverify to be of interest to you. This doesn't provide a tie in for the linker. It's a manually process that writes the signature into the ELF header. Additionally, I would suggest checking out the kernel's IMA appraisal extension.

See also,

edited Nov 21 '18 at 11:36

forest

64,616
20
206
257

answered Nov 20 '18 at 01:25

Evan Carroll

2,325
4
22
29

score 3 · Answer 2 · answered Oct 03 '16 at 20:45

3

Does it exist in linux?

No.

if I have an opportunity to do signed binaries or add SElinux policies to all services and contain them as much as possible which one would be a bigger ROI in terms of security?

The former would have to built from scratch - I would guess at more than 50,000 lines of code scattered between the kernel, linker and various other binaries. Sadly using SELinux is about as much fun and similarly cost effective.

There was a project - digsig which attempted to implemented a fully "trusted" environment on Linux - but was never really very effective (only worked with ELF binaries for one thing, and would require you to build your distro pretty much from scratch).

You would get much more benefit from learning how to use the facilities already available than sprinkling magic security pixie dust on top of your servers.

answered Oct 03 '16 at 20:45

symcbean

18,278
39
73

2

**This is incorrect.** Things like IMA (as just mentioned in a new answer) and dm-verity can do this. – forest Nov 20 '18 at 01:26
True, but it's a third party kernel patch, and the OP did ask about ROI – symcbean Nov 21 '18 at 01:02
2

It's not out of tree, neither is dm-verity. It was merged with the main tree in 2.6.30, and IMA appraisal (refusing to execute unsigned binaries rather than just logging the attempt) was merged in 3.7 – forest Nov 21 '18 at 11:32

Does linux support signed binaries?

2 Answers2

Linked