On Tue, Apr 25, 2017 at 10:07:37AM +0000, Stuart Henderson wrote:
> On 2017-04-25, Peter J. Philipp <p...@centroid.eu> wrote:
> > Hi,
> >
> > In the past I've been examining signed binaries in the OpenBSD system.
> > I wrote some kernel code for this, but I'm stuck before it got good. In
> > particular the problem I have is adding an ELF header to a compiled
> > binary. So I want to ask the pros first: what areas must I modify to
> > get a compiled result that has an extra ELF header. I've been modifying
> > binutils and binutils-2.17 but didn't strike gold there. Also finding
> > literature on how to deal with this is *very* hard. There is a book
> > from 1998 or something which is probably not up-to-date anymore, 19
> > years have passed. I also found a patch by matt dempsky online which
> > does the randomize stuff, but that didn't help me much either.
>
> I'd look at the wxneeded commits around 2016/05/28. github mirror is
> probably thd easiest way to find them.
I was wondering if I could ask misc's help one more time. I made modifications
and it works brilliantly compiling programs with a new ELF header but I don't
understand the code too well, I just managed to copy and change Theo's code a
little bit and it works, mostly. To compile a new "ELFSEC" header one has to
put 'LDFLAGS+= -Wl,-zelfsec' in /etc/mk.conf, but it doesn't seem to add the
header to binutils such as gas (as) since they seem to be ld'ed with the gnu
ld. I'd rather have it that all binaries produced get a ELFSEC header. Can
you help?
I'm going to attach my ELFSEC patch, which is some code to be able to run
signed HMAC binaries. Programs are compiled with the "blank" header and then
later "signed" with a special program. That program I'm not going to pack into
this mail since it's just a debug program for now, something better needs to be
the official program.
Also excuse the non-cvs diff, I couldn't make it display code that wasn't
already cvs added.
Regards,
-peter
diff -Pur /usr/src/gnu/usr.bin/binutils-2.17/bfd/elf-bfd.h
src/gnu/usr.bin/binutils-2.17/bfd/elf-bfd.h
--- /usr/src/gnu/usr.bin/binutils-2.17/bfd/elf-bfd.h Tue May 31 19:05:03 2016
+++ src/gnu/usr.bin/binutils-2.17/bfd/elf-bfd.h Sun Apr 16 13:37:50 2017
@@ -1340,6 +1340,9 @@
/* TRUE if output program should be marked to request W^X permission */
bfd_boolean wxneeded;
+ /* TRUE if output program should be marked to run ELFSEC'ed */
+ bfd_boolean elfsec;
+
/* Symbol version definitions in external objects. */
Elf_Internal_Verdef *verdef;
diff -Pur /usr/src/gnu/usr.bin/binutils-2.17/bfd/elf.c
src/gnu/usr.bin/binutils-2.17/bfd/elf.c
--- /usr/src/gnu/usr.bin/binutils-2.17/bfd/elf.c Wed Aug 10 22:46:08 2016
+++ src/gnu/usr.bin/binutils-2.17/bfd/elf.c Sun Apr 16 13:48:59 2017
@@ -1087,6 +1087,7 @@
case PT_GNU_RELRO: pt = "RELRO"; break;
case PT_OPENBSD_RANDOMIZE: pt = "OPENBSD_RANDOMIZE"; break;
case PT_OPENBSD_WXNEEDED: pt = "OPENBSD_WXNEEDED"; break;
+ case PT_OPENBSD_ELFSEC: pt = "OPENBSD_ELFSEC"; break;
case PT_OPENBSD_BOOTDATA: pt = "OPENBSD_BOOTDATA"; break;
default: pt = NULL; break;
}
@@ -2617,6 +2618,11 @@
return _bfd_elf_make_section_from_phdr (abfd, hdr, index,
"openbsd_wxneeded");
+ case PT_OPENBSD_ELFSEC:
+ return _bfd_elf_make_section_from_phdr (abfd, hdr, index,
+
"openbsd_elfsec");
+
+
default:
/* Check for any processor-specific program segment types. */
bed = get_elf_backend_data (abfd);
@@ -3951,6 +3957,22 @@
pm = &m->next;
}
+ if (elf_tdata (abfd)->elfsec)
+ {
+ amt = sizeof (struct elf_segment_map);
+ m = bfd_zalloc (abfd, amt);
+ if (m == NULL)
+ goto error_return;
+ m->next = NULL;
+ m->p_type = PT_OPENBSD_ELFSEC;
+ m->p_flags = 1;
+ m->p_flags_valid = 1;
+
+ *pm = m;
+ pm = &m->next;
+
+ }
+
/* If there is a .openbsd.randomdata section, throw in a PT_OPENBSD_RANDOMIZE
segment. */
randomdata = bfd_get_section_by_name (abfd, ".openbsd.randomdata");
@@ -4737,6 +4759,13 @@
/* We need a PT_OPENBSD_WXNEEDED segment. */
++segs;
}
+
+ if (elf_tdata (abfd)->elfsec)
+ {
+ /* We need a PT_OPENBSD_ELFSEC segment. */
+ ++segs;
+ }
+
for (s = abfd->sections; s != NULL; s = s->next)
{
diff -Pur /usr/src/gnu/usr.bin/binutils-2.17/bfd/elflink.c
src/gnu/usr.bin/binutils-2.17/bfd/elflink.c
--- /usr/src/gnu/usr.bin/binutils-2.17/bfd/elflink.c Sat Sep 3 11:34:33 2016
+++ src/gnu/usr.bin/binutils-2.17/bfd/elflink.c Sun Apr 16 13:41:54 2017
@@ -4977,6 +4977,7 @@
elf_tdata (output_bfd)->relro = info->relro;
elf_tdata (output_bfd)->wxneeded = info->wxneeded;
+ elf_tdata (output_bfd)->elfsec = info->elfsec;
elf_tdata (output_bfd)->executable = info->executable;
if (info->execstack)
elf_tdata (output_bfd)->stack_flags = PF_R | PF_W | PF_X;
diff -Pur /usr/src/gnu/usr.bin/binutils-2.17/binutils/readelf.c
src/gnu/usr.bin/binutils-2.17/binutils/readelf.c
--- /usr/src/gnu/usr.bin/binutils-2.17/binutils/readelf.c Sun Feb 19
13:42:45 2017
+++ src/gnu/usr.bin/binutils-2.17/binutils/readelf.c Sun Apr 16 13:43:01 2017
@@ -2391,6 +2391,8 @@
return "OPENBSD_RANDOMIZE";
case PT_OPENBSD_WXNEEDED:
return "OPENBSD_WXNEEDED";
+ case PT_OPENBSD_ELFSEC:
+ return "OPENBSD_ELFSEC";
case PT_OPENBSD_BOOTDATA:
return "OPENBSD_BOOTDATA";
diff -Pur /usr/src/gnu/usr.bin/binutils-2.17/include/bfdlink.h
src/gnu/usr.bin/binutils-2.17/include/bfdlink.h
--- /usr/src/gnu/usr.bin/binutils-2.17/include/bfdlink.h Tue Jun 21
04:55:57 2016
+++ src/gnu/usr.bin/binutils-2.17/include/bfdlink.h Sun Apr 16 13:43:37 2017
@@ -267,6 +267,9 @@
/* TRUE if output program should be marked to request W^X permission */
unsigned int wxneeded: 1;
+ /* TRUE if output program should be ELFSEC'ed */
+ unsigned int elfsec: 1;
+
/* TRUE if ok to have version with no definition. */
unsigned int allow_undefined_version: 1;
diff -Pur /usr/src/gnu/usr.bin/binutils-2.17/include/elf/common.h
src/gnu/usr.bin/binutils-2.17/include/elf/common.h
--- /usr/src/gnu/usr.bin/binutils-2.17/include/elf/common.h Wed Jan 25
09:56:08 2017
+++ src/gnu/usr.bin/binutils-2.17/include/elf/common.h Sun Apr 16 13:44:05 2017
@@ -308,6 +308,7 @@
#define PT_OPENBSD_RANDOMIZE 0x65a3dbe6 /* Fill with random data. */
#define PT_OPENBSD_WXNEEDED 0x65a3dbe7 /* Program does W^X violations */
+#define PT_OPENBSD_ELFSEC 0x65a3dbe8 /* Program does ELFSEC */
#define PT_OPENBSD_BOOTDATA 0x65a41be6 /* Section for boot arguments */
/* Program segment permissions, in program header p_flags field. */
diff -Pur /usr/src/gnu/usr.bin/binutils-2.17/ld/emultempl/elf32.em
src/gnu/usr.bin/binutils-2.17/ld/emultempl/elf32.em
--- /usr/src/gnu/usr.bin/binutils-2.17/ld/emultempl/elf32.em Sat Sep 10
07:16:06 2016
+++ src/gnu/usr.bin/binutils-2.17/ld/emultempl/elf32.em Sun Apr 16 13:44:49 2017
@@ -2186,6 +2186,8 @@
link_info.relro = FALSE;
else if (strcmp (optarg, "wxneeded") == 0)
link_info.wxneeded = TRUE;
+ else if (strcmp (optarg, "elfsec") == 0)
+ link_info.elfsec = TRUE;
else if (strcmp (optarg, "notext") == 0)
link_info.allow_textrel = TRUE;
else if (strcmp (optarg, "text") == 0)
diff -Pur /usr/src/gnu/usr.bin/binutils-2.17/ld/ld.texinfo
src/gnu/usr.bin/binutils-2.17/ld/ld.texinfo
--- /usr/src/gnu/usr.bin/binutils-2.17/ld/ld.texinfo Tue Jun 21 04:55:57 2016
+++ src/gnu/usr.bin/binutils-2.17/ld/ld.texinfo Sun Apr 16 13:45:49 2017
@@ -1019,6 +1019,10 @@
indicating it is expected to perform W^X violating operations later
(such as calling mprotect(2) or mmap(2) with both PROT_WRITE and PROT_EXEC).
+@item elfsec
+Marks the executable with a @code{PT_OPENBSD_ELFSEC} program header,
+indicating it is expected to perform ELFSEC'ed operations later.
+
@end table
Other keywords are ignored for Solaris compatibility.
diff -Pur /usr/src/gnu/usr.bin/binutils-2.17/ld/ldgram.y
src/gnu/usr.bin/binutils-2.17/ld/ldgram.y
--- /usr/src/gnu/usr.bin/binutils-2.17/ld/ldgram.y Wed Aug 10 22:46:08 2016
+++ src/gnu/usr.bin/binutils-2.17/ld/ldgram.y Sun Apr 16 13:46:28 2017
@@ -1095,6 +1095,8 @@
$$ = exp_intop (0x65a3dbe6);
else if (strcmp (s, "PT_OPENBSD_WXNEEDED") == 0)
$$ = exp_intop (0x65a3dbe7);
+ else if (strcmp (s, "PT_OPENBSD_ELFSEC") == 0)
+ $$ = exp_intop (0x65a3dbe8);
else if (strcmp (s, "PT_OPENBSD_BOOTDATA") == 0)
$$ = exp_intop (0x65a41be6);
else
Only in /usr/src/gnu/usr.bin/cvs/doc: CVSvn.texi
Only in /usr/src/gnu/usr.bin/cvs/doc: cvs.info
Only in /usr/src/gnu/usr.bin/cvs/doc: cvs.info-1
Only in /usr/src/gnu/usr.bin/cvs/doc: cvs.info-2
Only in /usr/src/gnu/usr.bin/cvs/doc: cvs.info-3
Only in /usr/src/gnu/usr.bin/cvs/doc: cvs.info-4
Only in /usr/src/gnu/usr.bin/cvs/doc: cvs.info-5
Only in /usr/src/gnu/usr.bin/cvs/doc: cvs.info-6
Only in /usr/src/gnu/usr.bin/cvs/doc: cvs.info-7
Only in /usr/src/gnu/usr.bin/cvs/doc: cvs.info-8
Only in /usr/src/gnu/usr.bin/cvs/doc: cvs.info-9
Only in /usr/src/gnu/usr.bin/cvs/doc: cvsclient.info
Only in /usr/src/gnu/usr.bin/cvs/doc: cvsclient.info-1
Only in /usr/src/gnu/usr.bin/cvs/doc: cvsclient.info-2
Only in /usr/src/gnu/usr.bin/cvs/doc: cvsclient.info-3
Only in /usr/src/gnu/usr.bin/cvs/emx: Makefile
Only in /usr/src/gnu/usr.bin/cvs/lib: getdate.c
Only in /usr/src/gnu/usr.bin/cvs/os2: Makefile
Only in /usr/src/gnu/usr.bin/cvs/src: version.c
diff -Pur /usr/src/lib/libc/sys/Makefile.inc src/lib/libc/sys/Makefile.inc
--- /usr/src/lib/libc/sys/Makefile.inc Wed Mar 29 18:29:02 2017
+++ src/lib/libc/sys/Makefile.inc Fri Apr 14 18:22:34 2017
@@ -45,7 +45,7 @@
bind.o chdir.o chflags.o chflagsat.o chmod.o chown.o chroot.o \
clock_getres.o clock_gettime.o clock_settime.o \
dup.o dup2.o dup3.o \
- execve.o \
+ elfsec.o execve.o \
faccessat.o fchdir.o fchflags.o fchmod.o fchmodat.o fchown.o \
fchownat.o fhopen.o fhstat.o fhstatfs.o \
flock.o fpathconf.o fstat.o fstatat.o fstatfs.o \
Only in /usr/src/regress/sys/kern/extent: extest.exp
Only in /usr/src/regress/usr.bin/doas: t-fail-quotes.err
Only in /usr/src/regress/usr.bin/doas: t-fail-quotes.out
Only in /usr/src/regress/usr.bin/doas: t-okay.err
Only in /usr/src/regress/usr.bin/doas: t-okay.out
Only in /usr/src/regress/usr.bin/libtool: a.c
Only in /usr/src/regress/usr.bin/libtool: b.c
Only in /usr/src/regress/usr.bin/libtool: c.c
Only in /usr/src/regress/usr.bin/libtool: d.c
Only in /usr/src/regress/usr.bin/libtool: e.c
diff -Pur /usr/src/sys/arch/amd64/compile/ELFSEC/Makefile
src/sys/arch/amd64/compile/ELFSEC/Makefile
--- /usr/src/sys/arch/amd64/compile/ELFSEC/Makefile Thu Jan 1 01:00:00 1970
+++ src/sys/arch/amd64/compile/ELFSEC/Makefile Fri Apr 14 17:45:33 2017
@@ -0,0 +1 @@
+.include "../Makefile.inc"
diff -Pur /usr/src/sys/arch/amd64/conf/ELFSEC src/sys/arch/amd64/conf/ELFSEC
--- /usr/src/sys/arch/amd64/conf/ELFSEC Thu Jan 1 01:00:00 1970
+++ src/sys/arch/amd64/conf/ELFSEC Fri Apr 14 17:45:31 2017
@@ -0,0 +1,659 @@
+# $OpenBSD: GENERIC,v 1.442 2017/03/12 21:31:18 jcs Exp $
+#
+# For further information on compiling OpenBSD kernels, see the config(8)
+# man page.
+#
+# For further information on hardware support for this architecture, see
+# the intro(4) man page. For further information about kernel options
+# for this architecture, see the options(4) man page. For an explanation
+# of each device driver in this file see the section 4 man page for the
+# device.
+
+machine amd64
+include "../../../conf/GENERIC"
+maxusers 80 # estimated number of users
+
+option USER_PCICONF # user-space PCI configuration
+
+#option VM86 # Virtual 8086 emulation
+option APERTURE # in-kernel aperture driver for XFree86
+option MTRR # CPU memory range attributes control
+
+#option KGDB # Remote debugger support; exclusive of
DDB
+#option "KGDB_DEVNAME=\"com\"",KGDBADDR=0x2f8,KGDBRATE=9600
+
+option NTFS # NTFS support
+option HIBERNATE # Hibernate support
+
+config bsd swap generic
+
+mainbus0 at root
+
+bios0 at mainbus?
+cpu0 at mainbus?
+ioapic* at mainbus?
+isa0 at mainbus0
+isa0 at pcib?
+isa0 at amdpcib?
+isa0 at tcpcib?
+pci* at mainbus0
+vmm0 at mainbus0
+pvbus0 at mainbus0
+
+acpi0 at bios0
+acpitimer* at acpi?
+acpihpet* at acpi?
+acpiac* at acpi?
+acpibat* at acpi?
+acpibtn* at acpi?
+acpicpu* at acpi?
+acpidock* at acpi?
+acpiec* at acpi?
+acpiprt* at acpi?
+acpisbs* at acpi?
+acpitz* at acpi?
+acpimadt0 at acpi?
+acpimcfg* at acpi?
+acpiasus* at acpi?
+acpisony* at acpi?
+acpithinkpad* at acpi?
+acpitoshiba* at acpi?
+acpivideo* at acpi?
+acpivout* at acpivideo?
+acpipwrres* at acpi?
+aibs* at acpi?
+bytgpio* at acpi?
+chvgpio* at acpi?
+sdhc* at acpi?
+acpicbkbd* at acpi?
+acpials* at acpi?
+tpm* at acpi?
+acpihve* at acpi?
+
+mpbios0 at bios0
+
+ipmi0 at mainbus? disable # IPMI
+
+vmt0 at pvbus? # VMware Tools
+
+xen0 at pvbus? # Xen HVM domU
+xnf* at xen? # Xen Netfront
+xbf* at xen? # Xen Blkfront
+
+hyperv0 at pvbus? # Hyper-V guest
+hvn* at hyperv? # Hyper-V NetVSC
+
+option PCIVERBOSE
+option USBVERBOSE
+
+pchb* at pci? # PCI-Host bridges
+aapic* at pci? # AMD 8131 IO apic
+ppb* at pci? # PCI-PCI bridges
+pci* at ppb?
+pci* at pchb?
+pcib* at pci? # PCI-ISA bridge
+amdpcib* at pci? # AMD 8111 LPC bridge
+tcpcib* at pci? # Intel Atom E600 LPC bridge
+kate* at pci? # AMD K8 temperature sensor
+km* at pci? # AMD K10 temperature sensor
+amas* at pci? disable # AMD memory configuration
+pchtemp* at pci? # Intel C610 termperature sensor
+
+# National Semiconductor LM7[89] and compatible hardware monitors
+lm0 at isa? port 0x290
+#lm1 at isa? port 0x280
+#lm2 at isa? port 0x310
+
+it* at isa? port 0x2e # ITE IT8705F, IT8712F, IT8716F, IT8718F,
+it* at isa? port 0x4e # IT8726F and SiS SiS950 monitors and
+ # watchdog timer
+
+schsio* at isa? port 0x2e # SMSC SCH311x Super I/O
+schsio* at isa? port 0x4e
+schsio* at isa? port 0x162e
+schsio* at isa? port 0x164e
+
+#viasio* at isa? port 0x2e flags 0x0000 # VIA VT1211 LPC Super I/O
+#viasio* at isa? port 0x4e flags 0x0000
+
+wbsio* at isa? port 0x2e # Winbond LPC Super I/O
+wbsio* at isa? port 0x4e
+lm* at wbsio?
+uguru0 at isa? disable port 0xe0 # ABIT uGuru
+
+aps0 at isa? port 0x1600 # ThinkPad Active Protection System
+asmc0 at isa? port 0x300 # Apple SMC
+
+piixpm* at pci? # Intel PIIX PM
+iic* at piixpm?
+ichiic* at pci? # Intel ICH SMBus controller
+iic* at ichiic?
+viapm* at pci? # VIA SMBus controller
+iic* at viapm?
+amdiic* at pci? # AMD-8111 SMBus controller
+iic* at amdiic?
+nviic* at pci? # NVIDIA nForce2/3/4 SMBus controller
+iic* at nviic?
+amdpm* at pci? # AMD-7xx/8111 and NForce SMBus controller
+iic* at amdpm?
+dwiic* at acpi? # DesignWare Synopsys i2c controller
+iic* at dwiic?
+
+itherm* at pci? # Intel 3400 Thermal Sensor
+adc* at iic? # Analog Devices AD7416/AD7417/7418
+adl* at iic? # Andigilog aSC7621
+admtemp* at iic? # Analog Devices ADM1021
+admlc* at iic? # Analog Devices ADM1024
+admtm* at iic? # Analog Devices ADM1025
+admcts* at iic? # Analog Devices ADM1026
+admtmp* at iic? # Analog Devices ADM1030
+admtt* at iic? # Analog Devices ADM1031
+adt* at iic? # Analog Devices ADT7460
+andl* at iic? # Andigilog aSC7611
+lisa* at iic? # STMicroelectronics LIS331DL motion sensor
+lm* at iic? # National Semiconductor LM78/79
+lmenv* at iic? # National Semiconductor LM87
+lmtemp* at iic? # National Semiconductor LM75/LM77
+lmn* at iic? # National Semiconductor LM93
+maxds* at iic? # Maxim DS1631
+maxtmp* at iic? # Maxim MAX6642/MAX6690
+spdmem* at iic? # SPD memory eeproms
+sdtemp* at iic? # SO-DIMM (JC-42.4) temperature
+wbng* at iic? # Winbond W83793G
+nvt* at iic? # Novoton W83795G
+ihidev* at iic? # HID-over-i2c
+ims* at ihidev? # HID-over-i2c mouse/trackpad
+wsmouse* at ims? mux 0
+ikbd* at ihidev? # i2c keyboard
+wskbd* at ikbd? mux 1
+imt* at ihidev? # HID-over-i2c multitouch trackpad
+wsmouse* at imt? mux 0
+iatp* at iic? # Atmel maXTouch i2c touchpad/touchscreen
+wsmouse* at iatp? mux 0
+
+skgpio0 at isa? port 0x680 # Soekris net6501 GPIO and LEDs
+gpio* at skgpio?
+
+#option PCMCIAVERBOSE
+
+# PCI PCMCIA controllers
+#pcic* at pci?
+
+# PCMCIA bus support
+#pcmcia* at pcic?
+
+# CardBus bus support
+cbb* at pci?
+cardslot* at cbb?
+cardbus* at cardslot?
+pcmcia* at cardslot?
+
+# USB Controllers
+xhci* at pci? # eXtensible Host Controller
+ehci* at pci? # Enhanced Host Controller
+ehci* at cardbus? # Enhanced Host Controller
+uhci* at pci? # Universal Host Controller (Intel)
+uhci* at cardbus? # Universal Host Controller (Intel)
+ohci* at pci? # Open Host Controller
+ohci* at cardbus? # Open Host Controller
+
+# USB bus support
+usb* at xhci?
+usb* at ehci?
+usb* at uhci?
+usb* at ohci?
+
+# USB devices
+uhub* at usb? # USB Hubs
+uhub* at uhub? # USB Hubs
+ualea* at uhub? # Araneus Alea II TRNG
+uonerng* at uhub? # Moonbase Otago OneRNG
+umodem* at uhub? # USB Modems/Serial
+ucom* at umodem?
+uvisor* at uhub? # Handspring Visor
+ucom* at uvisor?
+uvscom* at uhub? # SUNTAC Slipper U VS-10U serial
+ucom* at uvscom?
+ubsa* at uhub? # Belkin serial adapter
+ucom* at ubsa?
+uftdi* at uhub? # FTDI FT8U100AX serial adapter
+ucom* at uftdi?
+uplcom* at uhub? # I/O DATA USB-RSAQ2 serial adapter
+ucom* at uplcom?
+umct* at uhub? # MCT USB-RS232 serial adapter
+ucom* at umct?
+uslcom* at uhub? # Silicon Laboratories CP210x serial
+ucom* at uslcom?
+uark* at uhub? # Arkmicro ARK3116 serial
+ucom* at uark?
+moscom* at uhub? # MosChip MCS7703 serial
+ucom* at moscom?
+umcs* at uhub? # MosChip MCS78x0 serial
+ucom* at umcs?
+uipaq* at uhub? # iPAQ serial adapter
+ucom* at uipaq?
+umsm* at uhub? # Qualcomm MSM EVDO
+ucom* at umsm?
+uchcom* at uhub? # WinChipHead CH341/340 serial
+ucom* at uchcom?
+uticom* at uhub? # TI serial
+ucom* at uticom?
+uaudio* at uhub? # USB Audio
+audio* at uaudio?
+umidi* at uhub? # USB MIDI
+midi* at umidi?
+ulpt* at uhub? # USB Printers
+umass* at uhub? # USB Mass Storage devices
+ubcmtp* at uhub? # Broadcom USB trackpad
+wsmouse* at ubcmtp? mux 0
+uhidev* at uhub? # Human Interface Devices
+ums* at uhidev? # USB mouse
+wsmouse* at ums? mux 0
+uts* at uhub? # USB touchscreen
+wsmouse* at uts? mux 0
+uwacom* at uhidev? # USB Wacom tablet
+wsmouse* at uwacom? mux 0
+ukbd* at uhidev? # USB keyboard
+wskbd* at ukbd? mux 1
+ucycom* at uhidev? # Cypress serial
+ucom* at ucycom?
+uslhcom* at uhidev? # Silicon Labs CP2110 USB HID UART
+ucom* at uslhcom?
+uhid* at uhidev? # USB generic HID support
+upd* at uhidev? # USB Power Devices sensors
+aue* at uhub? # ADMtek AN986 Pegasus Ethernet
+atu* at uhub? # Atmel AT76c50x based 802.11b
+axe* at uhub? # ASIX Electronics AX88172 USB Ethernet
+axen* at uhub? # ASIX Electronics AX88179 USB Ethernet
+cue* at uhub? # CATC USB-EL1201A based Ethernet
+kue* at uhub? # Kawasaki KL5KUSB101B based Ethernet
+smsc* at uhub? # SMSC LAN95xx Ethernet
+cdce* at uhub? # CDC Ethernet
+urndis* at uhub? # Remote NDIS Ethernet
+upl* at uhub? # Prolific PL2301/PL2302 host-to-host `network'
+ugl* at uhub? # Genesys Logic GL620USB-A host-to-host
`network'
+udav* at uhub? # Davicom DM9601 based Ethernet
+mos* at uhub? # MOSCHIP MCS7730/7830 10/100 Ethernet
+url* at uhub? # Realtek RTL8150L based adapters
+ure* at uhub? # Realtek RTL8152 based adapters
+wi* at uhub? # WaveLAN IEEE 802.11DS
+udsbr* at uhub? # D-Link DSB-R100 radio
+radio* at udsbr? # USB radio
+uberry* at uhub? # Research In Motion BlackBerry
+ugen* at uhub? # USB Generic driver
+uath* at uhub? # Atheros AR5005UG/AR5005UX
+ural* at uhub? # Ralink RT2500USB
+rum* at uhub? # Ralink RT2501USB/RT2601USB
+run* at uhub? # Ralink RT2700U/RT2800U/RT3000U
+otus* at uhub? # Atheros AR9001U
+athn* at uhub? # Atheros AR9002U
+zyd* at uhub? # Zydas ZD1211
+upgt* at uhub? # Conexant/Intersil PrismGT SoftMAC USB
+urtw* at uhub? # Realtek 8187
+rsu* at uhub? # Realtek RTL8188SU/RTL8191SU/RTL8192SU
+urtwn* at uhub? # Realtek RTL8188CU/RTL8192CU
+udcf* at uhub? # Gude Expert mouseCLOCK
+umb* at uhub? # Mobile Broadband Interface Model
+uthum* at uhidev? # TEMPerHUM sensor
+ugold* at uhidev? # gold TEMPer sensor
+utrh* at uhidev? # USBRH sensor
+utwitch* at uhidev? # YUREX BBU sensor
+uow* at uhub? # Maxim/Dallas DS2490 1-Wire adapter
+uoakrh* at uhidev? # Toradex OAK temp and rel humidity
+uoaklux* at uhidev? # Toradex OAK LUX
+uoakv* at uhidev? # Toradex OAK 10V sensor
+onewire* at uow?
+uvideo* at uhub? # USB Video
+video* at uvideo?
+utvfu* at uhub? # Fushicai Audio-Video Grabber
+video* at utvfu?
+audio* at utvfu?
+udl* at uhub? # DisplayLink USB displays
+wsdisplay* at udl?
+
+puc* at pci? # PCI "universal" communication device
+com* at cardbus?
+
+sdhc* at pci? # SD Host Controller
+sdmmc* at sdhc? # SD/MMC bus
+rtsx* at pci? # Realtek SD Card Reader
+sdmmc* at rtsx? # SD/MMC bus
+
+isadma0 at isa?
+
+option WSDISPLAY_COMPAT_USL # VT handling
+option WSDISPLAY_COMPAT_RAWKBD # provide raw scancodes; needed for X11
+option WSDISPLAY_DEFAULTSCREENS=6 # initial number of text consoles
+
+pckbc0 at isa? flags 0x00 # PC keyboard controller
+pckbd* at pckbc? # PC keyboard
+pms* at pckbc? # PS/2 mouse for wsmouse
+vga0 at isa?
+option X86EMU # to POST video cards
+vga* at pci?
+wsdisplay0 at vga? console 1
+wskbd* at pckbd? mux 1
+wsmouse* at pms? mux 0
+
+#mmuagp* at pchb? # amd64 mmu agp.
+#agp* at mmuagp?
+
+inteldrm* at pci? # Intel i915, i945 DRM driver
+intagp* at inteldrm?
+agp* at intagp?
+drm0 at inteldrm? console 1
+drm* at inteldrm?
+wsdisplay0 at inteldrm? console 1
+wsdisplay* at inteldrm? mux -1
+radeondrm* at pci? # ATI Radeon DRM driver
+drm0 at radeondrm? console 1
+drm* at radeondrm?
+wsdisplay0 at radeondrm? console 1
+wsdisplay* at radeondrm? mux -1
+
+pcppi0 at isa?
+
+com0 at isa? port 0x3f8 irq 4 # standard PC serial ports
+com1 at isa? port 0x2f8 irq 3
+com2 at isa? port 0x3e8 irq 5
+com3 at isa? disable port 0x2e8 irq 9 # (conflicts with some video cards)
+
+com* at pcmcia? # PCMCIA modems/serial ports
+com* at puc?
+
+# options CY_HW_RTS
+#cy* at pci? # PCI cyclom serial card
+#cz* at pci? # Cyclades-Z multi-port serial boards
+
+lpt0 at isa? port 0x378 irq 7 # standard PC parallel ports
+#lpt1 at isa? port 0x278
+#lpt2 at isa? port 0x3bc
+lpt* at puc?
+
+efifb0 at mainbus? # EFI Framebuffer
+wsdisplay0 at efifb? console 1
+
+ahc* at pci? # Adaptec 2940 SCSI controllers
+jmb* at pci? # JMicron JMB36x controllers
+ahci* at jmb? flags 0x0000 # flags 0x0001 to force SATA 1 (1.5Gb/s)
+pciide* at jmb?
+ahci* at pci? flags 0x0000 # AHCI SATA controllers
+ # flags 0x0001 to force SATA 1 (1.5Gb/s)
+sili* at pci? # Silicon Image 3124/3132/3531 SATA
+ahd* at pci? # Adaptec 79?? SCSI controllers
+arc* at pci? # Areca RAID Controller
+mpi* at pci? # LSI Logic Message Passing Interface
+mpii* at pci? # LSI Message Passing Interface II
+gdt* at pci? # ICP Vortex GDT RAID controllers
+twe* at pci? # 3ware Escalade RAID controllers
+#aac* at pci? # Adaptec FSA RAID controllers
+ami* at pci? # AMI MegaRAID controllers
+mfi* at pci? # LSI MegaRAID SAS controllers
+mfii* at pci? # LSI MegaRAID SAS Fusion controllers
+#cac* at pci? # Compaq Smart ARRAY [234]* RAID
controllers
+ciss* at pci? # Compaq Smart ARRAY [56]* RAID
controllers
+iha* at pci? # Initio Ultra/UltraWide SCSI
controllers
+ips* at pci? # IBM ServeRAID controllers
+qlw* at pci? # QLogic ISP SCSI
+qla* at pci? # QLogic ISP 2[123]xx FibreChannel
+qle* at pci? # QLogic ISP 2[45]xx FibreChannel
+aic* at pcmcia? # PCMCIA Adaptec 152[02] SCSI
+#esp* at pcmcia? # PCMCIA based NCR 53C9X SCSI
+siop* at pci? # NCR 538XX SCSI controllers
+#adv* at pci? # AdvanSys 1200A/B and ULTRA SCSI
+adw* at pci? # AdvanSys ULTRA WIDE SCSI
+pcscp* at pci? # AMD 53c974 PCscsi-PCI SCSI
+#trm* at pci? # Tekram DC-3x5U SCSI Controllers
+vmwpvs* at pci? # VMware ParaVirtual SCSI
+nvme* at pci? # NVMe controllers
+
+scsibus* at scsi?
+sd* at scsibus? # SCSI disk drives
+st* at scsibus? # SCSI tape drives
+cd* at scsibus? # SCSI CD-ROM drives
+ch* at scsibus? # SCSI autochangers
+safte* at scsibus? # SCSI accessed fault-tolerant encl
+ses* at scsibus? # SCSI enclosure services
+uk* at scsibus? # unknown SCSI
+
+mpath0 at root
+emc* at scsibus?
+hds* at scsibus?
+rdac* at scsibus?
+sym* at scsibus?
+
+fdc0 at isa? port 0x3f0 irq 6 drq 2 # standard PC floppy controllers
+#fdc1 at isa? port 0x370
+fd* at fdc? flags 0x00
+
+# IDE controllers
+pciide* at pci? flags 0x0000
+
+wdc0 at isa? disable port 0x1f0 irq 14 flags 0x00
+wdc1 at isa? disable port 0x170 irq 15 flags 0x00
+wdc* at pcmcia?
+
+# IDE hard drives
+wd* at wdc? flags 0x0000
+wd* at pciide? flags 0x0000
+
+# ATAPI<->SCSI
+atapiscsi* at wdc?
+atapiscsi* at pciide?
+
+# Networking devices
+de* at pci? # DC21X4X-based ethernet
+fxp* at pci? # EtherExpress 10/100B ethernet
+fxp* at cardbus? # Intel PRO/100 ethernet
+ne* at pci? # NE2000-compat ethernet
+ep* at pci? # 3C59x ethernet
+ne* at pcmcia? # PCMCIA based NE2000 ethernet
+ep* at pcmcia? # PCMCIA based 3C5xx ethernet
+sm* at pcmcia? # PCMCIA based sm ethernet
+xe* at pcmcia? # Xircom ethernet
+xl* at pci? # 3C9xx ethernet
+xl* at cardbus? # 3C575/3C656 ethernet
+rl* at pci? # Realtek 81[23]9 ethernet
+rl* at cardbus? # Realtek 81[23]9 ethernet
+#mtd* at pci? # Myson MTD800/803/891
+epic* at pci? # SMC EPIC/100 ethernet
+#tl* at pci? # Compaq Thunderlan ethernet
+vr* at pci? # VIA Rhine ethernet
+#wb* at pci? # Winbond W89C840F ethernet
+sf* at pci? # Adaptec AIC-6915 ethernet
+sis* at pci? # SiS 900/7016 ethernet
+se* at pci? # SiS 190/191 ethernet
+#ste* at pci? # Sundance ST201 ethernet BORKED
+pcn* at pci? # AMD PCnet-PCI Ethernet
+dc* at pci? # 21143, "tulip" clone ethernet
+dc* at cardbus? # 21143, "tulip" clone ethernet
+ti* at pci? # Alteon Tigon 1Gb ethernet
+skc* at pci? # SysKonnect GEnesis 984x
+sk* at skc? # each port of above
+mskc* at pci? # Marvell Yukon-2
+msk* at mskc? # each port of above
+em* at pci? # Intel Pro/1000 ethernet
+ixgb* at pci? # Intel Pro/10Gb ethernet
+ix* at pci? # Intel 82598EB 10Gb ethernet
+myx* at pci? # Myricom Myri-10G 10Gb ethernet
+oce* at pci? # Emulex OneConnect 10Gb ethernet
+txp* at pci? # 3com 3CR990
+#nge* at pci? # NS DP83820/DP83821 GigE
+bge* at pci? # Broadcom BCM57xx (aka Tigon3)
+bnx* at pci? # Broadcom BCM5706/5708 GigE
+re* at pci? # Realtek 8169/8169S/8110S
+re* at cardbus? # Realtek 8169/8169S/8110S
+stge* at pci? # Sundance TC9021 GigE
+#lge* at pci? # Level1 LXT1001 GigE
+hme* at pci? # Sun Happy Meal
+vge* at pci? # VIA VT612x
+nfe* at pci? # NVIDIA nForce Ethernet
+xge* at pci? # Neterion Xframe-I/II 10Gb ethernet
+thtc* at pci? # Tehuti Networks 10Gb ethernet
+tht* at thtc?
+gem* at pci? # Sun GEM 10/100/Gigabit
+cas* at pci? # Sun Cassini 100/Gigabit
+bce* at pci? # Broadcom BCM4401
+vic* at pci? # VMware VMXnet virtual interface
+vmx* at pci? # VMware VMXNET3 virtual interface
+et* at pci? # Agere/LSI ET1310
+age* at pci? # Attansic L1 Ethernet
+alc* at pci? # Attansic L1C/L1D/L2C Ethernet
+ale* at pci? # Attansic L1E Ethernet
+lii* at pci? # Attansic L2 Ethernet
+jme* at pci? # JMicron JMC250/JMC260 Ethernet
+
+# Wireless network cards
+acx* at pci? # TI ACX100/ACX111 (802.11b/g)
+acx* at cardbus? # TI ACX100/ACX111 (802.11b/g)
+ath* at pci? # Atheros AR5k (802.11a/b/g)
+ath* at cardbus? # Atheros AR5k (802.11a/b/g)
+athn* at pci? # Atheros AR9k (802.11a/g/n)
+athn* at cardbus? # Atheros AR9k (802.11a/g/n)
+atw* at pci? # ADMtek ADM8211 (802.11)
+atw* at cardbus? # ADMtek ADM8211 (802.11)
+bwi* at pci? # Broadcom AirForce (802.11b/g)
+bwi* at cardbus? # Broadcom AirForce (802.11b/g)
+wi* at pci? # WaveLAN IEEE 802.11DS
+wi* at pcmcia? # WaveLAN IEEE 802.11DS
+an* at pci? # Aironet IEEE 802.11DS
+an* at pcmcia? # Aironet IEEE 802.11DS
+iwi* at pci? # Intel PRO/Wireless 2200BG/2915ABG
+wpi* at pci? # Intel PRO/Wireless 3945ABG
+iwn* at pci? # Intel WiFi Link 4965/5000/1000/6000
+iwm* at pci? # Intel WiFi Link 7xxx
+ral* at pci? # Ralink RT2500/RT2501/RT2600
+ral* at cardbus? # Ralink RT2500/RT2501/RT2600
+rtw* at pci? # Realtek 8180
+rtw* at cardbus? # Realtek 8180
+rtwn* at pci? # Realtek 8188CE/8192CE
+pgt* at pci? # Prism54 (only full-mac varients)
+pgt* at cardbus? # Prism54 (only full-mac varients)
+malo* at pci? # Marvell Libertas
+malo* at cardbus? # Marvell Libertas
+malo* at pcmcia? # Marvell 88W8385
+
+# Media Independent Interface (mii) drivers
+exphy* at mii? # 3Com internal PHYs
+inphy* at mii? # Intel 82555 PHYs
+iophy* at mii? # Intel 82553 PHYs
+icsphy* at mii? # ICS 1890 PHYs
+lxtphy* at mii? # Level1 LXT970 PHYs
+nsphy* at mii? # NS and compatible PHYs
+nsphyter* at mii? # NS and compatible PHYs
+qsphy* at mii? # Quality Semi QS6612 PHYs
+luphy* at mii? # Lucent LU6612 PHY
+sqphy* at mii? # Seeq 8x220 PHYs
+rlphy* at mii? # Realtek 8139 internal PHYs
+mtdphy* at mii? # Myson MTD972 PHYs
+dcphy* at mii? # Digital Clone PHYs
+acphy* at mii? # Altima AC101 PHYs
+amphy* at mii? # AMD 79C873 PHYs
+tqphy* at mii? # TDK 78Q212x PHYs
+bmtphy* at mii? # Broadcom 10/100 PHYs
+brgphy* at mii? # Broadcom Gigabit PHYs
+eephy* at mii? # Marvell 88E1000 series PHY
+xmphy* at mii? # XaQti XMAC-II PHYs
+nsgphy* at mii? # NS gigabit PHYs
+rgephy* at mii? # Realtek 8169S/8110S PHY
+urlphy* at mii? # Realtek RTL8150L internal PHY
+ciphy* at mii? # Cicada CS8201 10/100/1000 copper PHY
+gentbi* at mii? # Generic 1000BASE-X ten-bit PHY
+etphy* at mii? # Agere/LSI ET1011 TruePHY
+jmphy* at mii? # JMicron JMP202/JMP211 PHYs
+atphy* at mii? # Attansic F1 PHYs
+ipgphy* at mii? # IC Plus IP1000A PHYs
+ukphy* at mii? # "unknown" PHYs
+
+eap* at pci? # Ensoniq AudioPCI S5016
+envy* at pci? # VIA Envy24 (aka ICE1712)
+#eso* at pci? # ESS Solo-1 PCI AudioDrive
+#sv* at pci? # S3 SonicVibes (S3 617)
+#neo* at pci? # NeoMagic 256AV/ZX
+cmpci* at pci? # C-Media CMI8338/8738
+auacer* at pci? # Acer Labs M5455
+auich* at pci? flags 0x0000 # i82801 ICH AC'97 audio
+auixp* at pci? # ATI IXP AC'97 Audio
+#autri* at pci? flags 0x0000 # Trident 4D WAVE
+auvia* at pci? # VIA VT82C686A
+azalia* at pci? # High Definition Audio
+clcs* at pci? # CS4280 CrystalClear audio
+#clct* at pci? # CS4281 CrystalClear audio
+#fms* at pci? # Forte Media FM801
+#maestro* at pci? # ESS Maestro PCI
+#esa* at pci? # ESS Maestro3 PCI
+yds* at pci? flags 0x0000 # Yamaha YMF Audio
+emu* at pci? # SB Live!
+mpu* at isa? port 0x330
+
+# MIDI support
+#midi* at autri?
+midi* at eap?
+midi* at envy?
+midi* at mpu?
+
+spkr0 at pcppi? # PC speaker
+
+# Audio Support
+audio* at eap?
+audio* at envy?
+#audio* at eso?
+#audio* at sv?
+#audio* at neo?
+audio* at cmpci?
+audio* at clcs?
+#audio* at clct?
+audio* at auacer?
+audio* at auich?
+audio* at auixp?
+#audio* at autri?
+audio* at auvia?
+audio* at azalia?
+#audio* at fms?
+audio* at uaudio?
+#audio* at maestro?
+#audio* at esa?
+audio* at yds?
+audio* at emu?
+
+bktr0 at pci?
+
+# FM-Radio devices
+#gtp* at pci? # Gemtek/Guillemot Radio PCI Radio Card
+
+# FM-Radio support
+#radio* at gtp?
+radio* at bktr?
+
+#wdt0 at pci? # Ind Computer Source PCI-WDT50x driver
+
+# crypto support
+hifn* at pci? # Hi/fn 7751 crypto card
+ubsec* at pci? # Bluesteel Networks 5xxx crypto card
+safe* at pci? # SafeNet SafeXcel 1141/1741
+
+xspd0 at pci? # XenSource Platform Device
+
+# 1-Wire devices
+option ONEWIREVERBOSE
+owid* at onewire? # ID
+owsbm* at onewire? # Smart Battery Monitor
+owtemp* at onewire? # Temperature
+owctr* at onewire? # Counter device
+
+pseudo-device pctr 1
+pseudo-device nvram 1
+pseudo-device hotplug 1 # devices hot plugging
+
+# mouse & keyboard multiplexor pseudo-devices
+pseudo-device wsmux 2
+
+# Virtio devices
+virtio* at pci? # Virtio PCI device
+vioblk* at virtio? # Virtio block device
+vio* at virtio? # Virtio network device
+viomb* at virtio? # Virtio memory ballooning device
+viornd* at virtio? # Virtio entropy device
+vioscsi* at virtio? # Virtio SCSI device
+#viocon* at virtio? # Virtio console device
+vmmci* at virtio? # VMM control interface
diff -Pur /usr/src/sys/conf/files src/sys/conf/files
--- /usr/src/sys/conf/files Wed Feb 8 06:09:25 2017
+++ src/sys/conf/files Fri Apr 14 17:44:34 2017
@@ -645,6 +645,7 @@
file kern/clock_subr.c
file kern/exec_conf.c
file kern/exec_elf.c
+file kern/exec_elfsec.c
file kern/exec_script.c
file kern/exec_subr.c
file kern/init_main.c
diff -Pur /usr/src/sys/kern/exec_elf.c src/sys/kern/exec_elf.c
--- /usr/src/sys/kern/exec_elf.c Mon Mar 20 01:05:21 2017
+++ src/sys/kern/exec_elf.c Thu Apr 27 20:29:50 2017
@@ -85,6 +85,7 @@
#include <sys/signalvar.h>
#include <sys/stat.h>
#include <sys/pledge.h>
+#include <sys/elfsec.h>
#include <sys/mman.h>
@@ -93,6 +94,12 @@
#include <machine/reg.h>
#include <machine/exec.h>
+#include <crypto/md5.h>
+#include <crypto/sha1.h>
+#include <crypto/sha2.h>
+#include <crypto/hmac.h>
+
+
int elf_load_file(struct proc *, char *, struct exec_package *,
struct elf_args *);
int elf_check_header(Elf_Ehdr *);
@@ -511,12 +518,18 @@
exec_elf_makecmds(struct proc *p, struct exec_package *epp)
{
Elf_Ehdr *eh = epp->ep_hdr;
- Elf_Phdr *ph, *pp, *base_ph = NULL;
+ Elf_Phdr *ph, *ph2, *pp, *base_ph = NULL;
Elf_Addr phdr = 0, exe_base = 0;
+ ELFSEChdr *eshdr;
int error, i, has_phdr = 0;
char *interp = NULL;
- u_long phsize;
+ u_long phsize, phsize2;
size_t randomizequota = ELF_RANDOMIZE_LIMIT;
+ struct elfsec es;
+ int visited_elfsec = 0;
+ struct nameidata esndp;
+ struct vnode *esvp;
+ struct vattr esvap;
if (epp->ep_hdrvalid < sizeof(Elf_Ehdr))
return (ENOEXEC);
@@ -703,6 +716,127 @@
ph[i].p_memsz, ph[i].p_vaddr + exe_base, NULLVP, 0,
0);
break;
+ case PT_OPENBSD_ELFSEC:
+ /* is elfsec active? if not break */
+ if (elfsecactive == 0) {
+ break;
+ }
+
+ /*
+ * are we superuser? if yes break.
+ * since root knows the secret key, there is no point
+ * in proceeding further with ELFSEC...
+ */
+
+ if (suser(p, 0) == 0)
+ break;
+
+ /*
+ * we are now active and a daemon/user
+ * now we make sure that someone doesn't create
+ * several ELFSEC sections to throw us into limbo
+ * once is enough.
+ */
+
+ if (visited_elfsec == 1)
+ break;
+
+ visited_elfsec = 1;
+
+
+ NDINIT(&esndp, LOOKUP, FOLLOW, UIO_SYSSPACE,
epp->ep_ndp->ni_dirp, p);
+ esndp.ni_pledge = PLEDGE_RPATH;
+ if ((error = namei(&esndp)) != 0) {
+ printf("elfsec debug: namei %d\n", error);
+ goto bad;
+ }
+ esvp = esndp.ni_vp;
+
+ if (esvp->v_type != VREG) {
+ error = EACCES;
+ goto bad;
+ }
+
+ if ((error = VOP_GETATTR(esvp, epp->ep_vap,
p->p_ucred, p)) != 0) {
+ printf("elfsec debug: VOP_GETATTR %d\n", error);
+ goto bad;
+ }
+
+ if (esvp->v_mount->mnt_flag & MNT_NOEXEC) {
+ error = EACCES;
+ goto bad;
+ }
+
+ if ((error = VOP_ACCESS(esvp, VREAD, p->p_ucred, p)) !=
0) {
+ printf("elfsec debug: VOP_ACCESS %d\n", error);
+ goto bad;
+ }
+
+ if ((error = VOP_GETATTR(esvp, &esvap, p->p_ucred, p))
!= 0) {
+ printf("elfsec debug: VOP_GETATTR %d\n", error);
+ goto bad;
+ }
+
+ es.es_filesize = esvap.va_size;
+ es.es_offset = eh->e_phoff + phsize;
+
+#if 0
+ printf("elfsec: es_filesize = %ld, es_offset = %ld\n",
es.es_filesize, es.es_offset);
+
+ /* i386 */
+ HMAC_MD5_Init(&es.ctx, &elfseckey, sizeof(elfseckey));
+#endif
+
+ HMAC_SHA256_Init(&es.ctx, elfseckey, sizeof(elfseckey));
+
+ ph2 = mallocarray(1, es.es_filesize - es.es_offset,
M_TEMP, M_WAITOK);
+ phsize2 = es.es_filesize - es.es_offset;
+
+ error = elf_read_from(p, esvp, es.es_offset, ph2,
phsize2);
+
+ if (error != 0) {
+ printf("elfsec debug: elf_read_from %d\n",
error);
+ VOP_CLOSE(esvp, FREAD, p->p_ucred, p);
+ free(ph2, M_TEMP, phsize2);
+ goto bad;
+ }
+
+ HMAC_SHA256_Update(&es.ctx, (u_int8_t *)ph2, phsize2);
+
+ memset(&es.digest, 0, sizeof(es.digest));
+
+ HMAC_SHA256_Final(es.digest, &es.ctx);
+ free(ph2, M_TEMP, phsize2);
+
+#if 0
+ printf("elfsec(%s) = ", epp->ep_ndp->ni_dirp);
+ for (es.i = 0; es.i < SHA256_DIGEST_LENGTH; es.i++) {
+ printf("%02x", es.digest[es.i] & 0xff);
+ }
+ printf("\n");
+#endif
+
+ VOP_CLOSE(esvp, FREAD, p->p_ucred, p);
+
+
+ /* now compare the elfsechdr with the checksum */
+
+ eshdr = (ELFSEChdr *)pp;
+
+ if (memcmp(eshdr->hmac, es.digest,
SHA256_DIGEST_LENGTH) != 0) {
+ printf("ELFSEC violation! not executing binary
(%s)\n", epp->ep_ndp->ni_dirp);
+#if 0
+ for (es.i = 0; es.i < SHA256_DIGEST_LENGTH;
es.i++) {
+ printf("%02x", eshdr->hmac[es.i] &
0xff);
+ }
+ printf("\n");
+#endif
+
+ goto bad;
+ }
+
+ break;
+
default:
/*
* Not fatal, we don't need to understand everything
@@ -710,6 +844,11 @@
*/
break;
}
+ }
+
+ if (elfsecactive == 1 && visited_elfsec == 0 && suser(p, 0) != 0) {
+ printf("ELFSEC violation! Not executing binary (%s)\n",
epp->ep_ndp->ni_dirp);
+ goto bad;
}
phdr += exe_base;
diff -Pur /usr/src/sys/kern/exec_elfsec.c src/sys/kern/exec_elfsec.c
--- /usr/src/sys/kern/exec_elfsec.c Thu Jan 1 01:00:00 1970
+++ src/sys/kern/exec_elfsec.c Thu Apr 27 20:30:54 2017
@@ -0,0 +1,81 @@
+/* exec_elfsec.c - $Id$ */
+
+#include <sys/param.h>
+#include <sys/systm.h>
+#include <sys/kernel.h>
+#include <sys/proc.h>
+
+#include <sys/mount.h>
+#include <sys/syscallargs.h>
+
+#include <sys/exec_elf.h>
+#include <sys/elfsec.h>
+
+#if 0
+#include <crypto/md5.h>
+#include <crypto/sha1.h>
+#include <crypto/sha2.h>
+#include <crypto/hmac.h>
+#endif
+
+int elfsecactive = 0;
+char elfseckey[32];
+
+int
+sys_elfsec(struct proc *p, void *v, register_t *retval)
+{
+ struct sys_elfsec_args /* {
+ syscallarg(char *) buf;
+ syscallarg(size_t) nbyte;
+ } */ *uap = v;
+ char *key;
+ size_t size;
+ int error;
+
+#if 0
+ if (securelevel > 0)
+ return (EPERM);
+#endif
+
+ if ((error = suser(p, 0)) != 0)
+ return (error);
+
+ key = SCARG(uap, buf);
+ size = SCARG(uap, nbyte);
+
+ if (size != sizeof(elfseckey))
+ return (EINVAL);
+
+ if ((error = copyin(key, &elfseckey, sizeof(elfseckey))) != 0)
+ return (error);
+
+ elfsecactive = 1;
+
+#if 0
+ printf("elfseckey: ");
+ for (i = 0; i < sizeof(elfseckey); i ++) {
+ printf("%02x", elfseckey[i] & 0xff);
+ }
+
+ printf("\n");
+
+ printf("HMAC test: ");
+
+ HMAC_SHA256_Init(&es.ctx, elfseckey, sizeof(elfseckey));
+ HMAC_SHA256_Update(&es.ctx, elfseckey, sizeof(elfseckey));
+ HMAC_SHA256_Update(&es.ctx, elfseckey, sizeof(elfseckey));
+ HMAC_SHA256_Update(&es.ctx, elfseckey, sizeof(elfseckey));
+ HMAC_SHA256_Final(es.es_buf, &es.ctx);
+
+ for (i = 0; i < 32; i++) {
+ printf("%02x", es.es_buf[i] & 0xff);
+ }
+
+ printf("\n");
+
+#endif
+
+
+
+ return (0);
+}
diff -Pur /usr/src/sys/kern/init_sysent.c src/sys/kern/init_sysent.c
--- /usr/src/sys/kern/init_sysent.c Mon Sep 26 18:43:58 2016
+++ src/sys/kern/init_sysent.c Fri Apr 14 17:36:03 2017
@@ -1,4 +1,4 @@
-/* $OpenBSD: init_sysent.c,v 1.186 2016/09/26 16:43:58 jca Exp $ */
+/* $OpenBSD$ */
/*
* System call switch table.
@@ -751,5 +751,7 @@
sys___set_tcb }, /* 329 = __set_tcb */
{ 0, 0, SY_NOLOCK | 0,
sys___get_tcb }, /* 330 = __get_tcb */
+ { 2, s(struct sys_elfsec_args), 0,
+ sys_elfsec }, /* 331 = elfsec */
};
diff -Pur /usr/src/sys/kern/syscalls.c src/sys/kern/syscalls.c
--- /usr/src/sys/kern/syscalls.c Mon Sep 26 18:43:58 2016
+++ src/sys/kern/syscalls.c Fri Apr 14 17:36:03 2017
@@ -1,4 +1,4 @@
-/* $OpenBSD: syscalls.c,v 1.185 2016/09/26 16:43:58 jca Exp $ */
+/* $OpenBSD$ */
/*
* System call names.
@@ -393,4 +393,5 @@
"#328 (obsolete __tfork51)", /* 328 = obsolete __tfork51 */
"__set_tcb", /* 329 = __set_tcb */
"__get_tcb", /* 330 = __get_tcb */
+ "elfsec", /* 331 = elfsec */
};
diff -Pur /usr/src/sys/kern/syscalls.master src/sys/kern/syscalls.master
--- /usr/src/sys/kern/syscalls.master Sun Sep 4 19:22:40 2016
+++ src/sys/kern/syscalls.master Fri Apr 14 17:35:34 2017
@@ -563,3 +563,4 @@
328 OBSOL __tfork51
329 STD NOLOCK { void sys___set_tcb(void *tcb); }
330 STD NOLOCK { void *sys___get_tcb(void); }
+331 STD { int sys_elfsec(char *buf, size_t nbyte); }
Binary files /usr/src/sys/kern/vi.core and src/sys/kern/vi.core differ
diff -Pur /usr/src/sys/sys/elfsec.h src/sys/sys/elfsec.h
--- /usr/src/sys/sys/elfsec.h Thu Jan 1 01:00:00 1970
+++ src/sys/sys/elfsec.h Thu Apr 27 14:15:04 2017
@@ -0,0 +1,47 @@
+#ifndef _ELFSEC_H
+#define _ELFSEC_H
+
+#include <crypto/md5.h>
+#include <crypto/sha1.h>
+#include <crypto/sha2.h>
+#include <crypto/hmac.h>
+
+extern int elfsecactive;
+extern char elfseckey[32];
+
+struct elfsec {
+ u_long es_offset;
+ u_long es_filesize;
+ char es_buf[512];
+#if 0
+ HMAC_MD5_CTX ctx;
+#else
+ HMAC_SHA256_CTX ctx;
+#endif
+ int i;
+ char digest[SHA256_DIGEST_LENGTH];
+};
+
+
+#if 0
+/* Program Header */
+typedef struct {
+ Elf32_Word p_type; /* segment type */
+ Elf32_Off p_offset; /* segment offset */
+
+ char hmac[16]; /* 16 bytes for md5 HMAC */
+
+ Elf32_Word p_flags; /* flags */
+ Elf32_Word p_align; /* memory alignment */
+} ELFSEChdr;
+#else
+typedef struct {
+ Elf64_Half p_type; /* entry type */
+ Elf64_Half p_flags; /* flags */
+ Elf64_Off p_offset; /* offset */
+
+ char hmac[32]; /* 32 bytes for SHA256 HMAC */
+ Elf64_Xword p_align; /* memory & file alignment */
+} ELFSEChdr;
+#endif
+#endif /* _ELFSEC_H */
diff -Pur /usr/src/sys/sys/exec_elf.h src/sys/sys/exec_elf.h
--- /usr/src/sys/sys/exec_elf.h Sat Feb 18 07:42:08 2017
+++ src/sys/sys/exec_elf.h Fri Apr 14 16:24:58 2017
@@ -433,6 +433,7 @@
#define PT_OPENBSD_RANDOMIZE 0x65a3dbe6 /* fill with random data */
#define PT_OPENBSD_WXNEEDED 0x65a3dbe7 /* program performs W^X
violations */
+#define PT_OPENBSD_ELFSEC 0x65a3dbe8 /* program does ELFSEC */
#define PT_OPENBSD_BOOTDATA 0x65a41be6 /* section for boot arguments */
/* Segment flags - p_flags */
diff -Pur /usr/src/sys/sys/syscall.h src/sys/sys/syscall.h
--- /usr/src/sys/sys/syscall.h Mon Sep 26 18:43:58 2016
+++ src/sys/sys/syscall.h Fri Apr 14 17:36:03 2017
@@ -1,4 +1,4 @@
-/* $OpenBSD: syscall.h,v 1.184 2016/09/26 16:43:58 jca Exp $ */
+/* $OpenBSD$ */
/*
* System call numbers.
@@ -700,4 +700,7 @@
/* syscall: "__get_tcb" ret: "void *" args: */
#define SYS___get_tcb 330
-#define SYS_MAXSYSCALL 331
+/* syscall: "elfsec" ret: "int" args: "char *" "size_t" */
+#define SYS_elfsec 331
+
+#define SYS_MAXSYSCALL 332
diff -Pur /usr/src/sys/sys/syscallargs.h src/sys/sys/syscallargs.h
--- /usr/src/sys/sys/syscallargs.h Mon Sep 26 18:43:58 2016
+++ src/sys/sys/syscallargs.h Fri Apr 14 17:36:03 2017
@@ -1,4 +1,4 @@
-/* $OpenBSD: syscallargs.h,v 1.187 2016/09/26 16:43:58 jca Exp $ */
+/* $OpenBSD$ */
/*
* System call argument lists.
@@ -1093,6 +1093,11 @@
syscallarg(void *) tcb;
};
+struct sys_elfsec_args {
+ syscallarg(char *) buf;
+ syscallarg(size_t) nbyte;
+};
+
/*
* System call prototypes.
*/
@@ -1341,3 +1346,4 @@
int sys_unlinkat(struct proc *, void *, register_t *);
int sys___set_tcb(struct proc *, void *, register_t *);
int sys___get_tcb(struct proc *, void *, register_t *);
+int sys_elfsec(struct proc *, void *, register_t *);
