Introducing Sentinel LDK Envelope for Linux
Sentinel LDK Envelope for Linux is a command line utility that runs on a Linux Intel machine and that can be used to protect both Linux Intel and Linux ARM applications. Both executable and shared objects can be protected.
NOTE If the License Manager does not find the required license for a protected shared library, the application that is loading the protected shared object may terminate without displaying an error message.
For information on supported Linux distributions and supported hardware, see the
A sample 64-bit program is provided to enable you to experiment with Envelope. This program can be found under /VendorTools/Envelope/sample/ in the Sentinel LDK for Linux installation.
For additional information regarding Sentinel LDK Envelope, refer to:
>
>Sentinel LDK Getting Started Guide for Linux
Prerequisites for Linux
To use the Sentinel LDK Envelope for Linux utility, the following components must be installed on your Linux Intel machine:
>Sentinel LDK Run-time Environment
>Sentinel Vendor Suite, containing the Sentinel LDK Envelope command-line utility for Linux and the Master Wizard
>A valid Vendor Code stored in the VendorCodes directory. For additional information, see the
>The Linux executables and shared libraries that you want to protect. Intel ELF (x86_64) and ARM ELF (32-bit, AArch32, and AArch64) executables and shared libraries are supported.
>Your Sentinel Developer key or Master key must be connected to the machine.
NOTE If you require an alternative to using a Developer key or Master key, contact Technical Support.
Supported Versions of Linux ARM Binaries
Sentinel LDK Envelope supports the following Linux ARM applications that are compiled for ARM ABI:
>ARMv6
>ARMv7
>ARMv7-a
>ARMv8-a
>ARMv8.1-a
Limitations
>Uninitialized global variable are allocated to the bss section, which expands at run-time. During the protection process, these variables are expanded. As a result, the protected application size may increase significantly.
To prevent this expansion, do one of the following:
•Allocate uninitialized global variable dynamically.
•Initialize each global variables with a non-zero value.
>In an application process space, a protected application or dynamic library supports approximately 1,000 threads and child processes running at any given time. This limitation is applicable when debugging/memory dumps are blocked or background checking is enabled (or both).
>Envelope does not support application/dynamic libraries when the page size is not set to 4096 bytes during compilation.
To resolve this, use the -z max-page-size=4096 and -z common-page-size=4096 compilation options (linker options) to compile the binary.
>The Envelope anti-debugging functionality does not provide protection against debugging for a protected application's orphan child processes.
Considerations for Applications in Docker Containers
The following considerations apply for Docker containers:
>Abort/Retry functionality is not supported for applications that run in a Docker container. For more information, see the description of <IGNORE_BACKGROUND_CHECK>.
>Protection against debugging and memory dumps is supported for applications in Docker containers.
>Given the following circumstances:
•An application is protected with the DEMOMA Batch Code.
•The application executes in a Docker container.
The warning message regarding the use of the DEMOMA Batch Code is displayed in the Docker container terminal.