SIGN(3) SIGN(3)
NAME
sign - control use of signed modules
SYNOPSIS
bind -a #Σ /dev
/dev/signerkey
/dev/signctl
DESCRIPTION
Sign is a device, still experimental, to control the use of
signed Dis modules. After system initialisation, any pro-
cess can load any module. Using sign, load operations can
subsequently be restricted for a process and its descen-
dents.
Signerkey is a file that can be opened for writing only by
the host owner (see eve(10.2)) (but any process holding the
file descriptor can write to it). The data written must be
the textual representation of a public key in the form pro-
duced by Keyring->pktostr (see keyring-certtostr(2)). After
a successful write, subsequent load operations will be lim-
ited to Dis modules in any of the following sets:
• built-in modules
• unsigned modules found in the kernel's root(3) file
system
• currently loaded unsigned modules
• acceptable signed modules
A signed Dis module contains a signature in its header, as
specified by dis(6). The signature contains the result of
signing the remaining data in the file (or more precisely, a
cryptographically secure hash of it), using a configured
public key algorithm and the signer's secret key (for
instance using Keyring->sign, see keyring-sha1(2)).
A signed module is `acceptable' if it was signed by the
secret key corresponding to one of the public keys written
to signerkey. There can be up to 8 such keys. The set of
keys and the secured status is shared across spawn.
Signerkey is generally readable, and when read yields a list
of the keys installed, one per line, showing owner, alg, and
other attributes in attr=value format, space separated. The
actual key value is not currently shown.
SIGN(3) SIGN(3)
Signctl can be read or written only by the host owner. Each
write contains a textual control request. (Currently there
are none such.) If security is not enabled, it is empty
when read. Otherwise, it contains the number of keys
loaded, as a decimal integer.
SOURCE
/emu/port/devsign.c
/os/port/devsign.c
SEE ALSO
wm/rt in wm-misc(2), sys-pctl(2), dis(6),
createsignerkey(8), eve(10.2)
DIAGNOSTICS
If the text is not a valid public key or uses an algorithm
that is not configured, a write to signer fails and sets the
error string.