VirtualBox

Opened 10 years ago

Closed 8 years ago

Last modified 6 years ago

#12608 closed enhancement (fixed)

VirtualBox Solaris kernel modules are not signed

Reported by: Dan A. Owned by:
Component: installer Version: VirtualBox 4.3.6
Keywords: signing, elfsign Cc:
Guest type: other Host type: Solaris

Description (last modified by Ramshankar Venkataraman)

VirtualBox Solaris kernel modules are not signed with elfsign(1):

$ elfsign verify /platform/i86pc/kernel/drv/amd64/vboxnet 
elfsign: no signature found in /platform/i86pc/kernel/drv/amd64/vboxnet.
$ elfsign verify /platform/i86pc/kernel/drv/amd64/vboxdrv 
elfsign: no signature found in /platform/i86pc/kernel/drv/amd64/vboxdrv.
$ elfsign verify /platform/i86pc/kernel/drv/amd64/vboxbow 
elfsign: no signature found in /platform/i86pc/kernel/drv/amd64/vboxbow.
$ elfsign verify /platform/i86pc/kernel/drv/amd64/vboxusbmon 
elfsign: no signature found in /platform/i86pc/kernel/drv/amd64/vboxusbmon.
$ elfsign verify /platform/i86pc/kernel/drv/amd64/vboxusb 
elfsign: no signature found in /platform/i86pc/kernel/drv/amd64/vboxusb.

In a future version of Solaris, a warning message may be generated for unsigned modules.

Here's an example on how to sign a kernel module on Solaris. This example uses self-signed certs. An official CA-issued cert would be better.

$ pktool gencert keystore=file serial=0x1 format=pem lifetime=20-year \
    keytype=rsa hash=sha256 outcert=virtualbox.pem outkey=virtualbox.key \
    subject="O=Oracle Corporation, OU=VirtualBox, CN=virtualbox.org"
$ su
# cp virtualbox.pem /etc/certs

$ elfsign sign -v -c virtualbox.pem -k virtualbox.key vboxnet
elfsign: vboxnet signed successfully.
format: rsa_sha256.
signer: O=Oracle Corporation, OU=VirtualBox, CN=virtualbox.org
signed on: Wed Jan 08 17:53:44 2014.

$ elfsign verify -v vboxnet
elfsign: verification of vboxnet passed.
format: rsa_sha256.
signer: O=Oracle Corporation, OU=VirtualBox, CN=virtualbox.org
signed on: Wed Jan 08 17:53:44 2014.

Change History (9)

comment:1 by Ramshankar Venkataraman, 10 years ago

Description: modified (diff)

comment:2 by Ramshankar Venkataraman, 10 years ago

Description: modified (diff)

comment:3 by Klaus Espenlaub, 10 years ago

Cc: dan.anderson@… removed

We'll look into this... if it's not much work and if it turns out that Solaris accepts Windows driver signing certs (one of those super expensive special code signing certs we have to have) then it might be possible to get this into the next major release. BTW, we also listen on the internal Oracle bug tracking tools ;)

comment:4 by Dan A., 8 years ago

As a data point, this error is still present with VirtualBox 5.0.14 installed on a VirtualBox host running Solaris 11.3 (January 2016).

comment:5 by Frank Mehnert, 8 years ago

danxyz, all VBox 5.0.x kernel modules are signed on Solaris. Please provide the output of the tool you used to check if the modules are signed or not.

comment:6 by Frank Mehnert, 8 years ago

Actually I take that back. There is some problem on our side...

comment:7 by Frank Mehnert, 8 years ago

The most recent 5.0.x Solaris test build should have the modules properly signed. Could you confirm?

comment:8 by Frank Mehnert, 8 years ago

Resolution: fixed
Status: newclosed

Fix is part of VBox 5.0.18.

comment:9 by Dan Anderson, 6 years ago

Thanks! Yes, it works now on Oracle Solaris 12 (I confirmed in 2016). Sorry for the late reply. I forgot my old login password, and was since RIFed from Oracle when Solaris kernel development was EOLed :-(.

  • danxyz (now danxyz2)
Note: See TracTickets for help on using tickets.

© 2023 Oracle
ContactPrivacy policyTerms of Use