2 files changed, 18 insertions, 3 deletions

diff --git a/pkg/sentry/arch/arch.go b/pkg/sentry/arch/arch.go
index ace7d5b18..498ca4669 100644
--- a/pkg/sentry/arch/arch.go
+++ b/pkg/sentry/arch/arch.go
@@ -33,6 +33,8 @@ type Arch int
 const (
 	// AMD64 is the x86-64 architecture.
 	AMD64 Arch = iota
+	// ARM64 is the aarch64 architecture.
+	ARM64
 )
 
 // String implements fmt.Stringer.
@@ -40,6 +42,8 @@ func (a Arch) String() string {
 	switch a {
 	case AMD64:
 		return "amd64"
+	case ARM64:
+		return "arm64"
 	default:
 		return fmt.Sprintf("Arch(%d)", a)
 	}
diff --git a/pkg/sentry/loader/elf.go b/pkg/sentry/loader/elf.go
index fba2f27fe..bc5b841fb 100644
--- a/pkg/sentry/loader/elf.go
+++ b/pkg/sentry/loader/elf.go
@@ -148,12 +148,17 @@ func parseHeader(ctx context.Context, f *fs.File) (elfInfo, error) {
 	}
 	binary.Unmarshal(hdrBuf, byteOrder, &hdr)
 
-	// We only support amd64.
-	if machine := elf.Machine(hdr.Machine); machine != elf.EM_X86_64 {
+	// We support amd64 and arm64.
+	var a arch.Arch
+	switch machine := elf.Machine(hdr.Machine); machine {
+	case elf.EM_X86_64:
+		a = arch.AMD64
+	case elf.EM_AARCH64:
+		a = arch.ARM64
+	default:
 		log.Infof("Unsupported ELF machine %d", machine)
 		return elfInfo{}, syserror.ENOEXEC
 	}
-	a := arch.AMD64
 
 	var sharedObject bool
 	elfType := elf.Type(hdr.Type)
@@ -560,6 +565,12 @@ func loadInitialELF(ctx context.Context, m *mm.MemoryManager, fs *cpuid.FeatureS
 		return loadedELF{}, nil, err
 	}
 
+	// Check Image Compatibility.
+	if arch.Host != info.arch {
+		ctx.Warningf("Found mismatch for platform %s with ELF type %s", arch.Host.String(), info.arch.String())
+		return loadedELF{}, nil, syserror.ENOEXEC
+	}
+
 	// Create the arch.Context now so we can prepare the mmap layout before
 	// mapping anything.
 	ac := arch.New(info.arch, fs)