VirtualBox

Ticket #12608 (closed enhancement: fixed)

Opened 4 years ago

Last modified 19 months ago

VirtualBox Solaris kernel modules are not signed

Reported by: danxyz Owned by:
Priority: major Component: installer
Version: VirtualBox 4.3.6 Keywords: signing, elfsign
Cc: Guest type: other
Host type: Solaris

Description (last modified by ramshankar) (diff)

VirtualBox Solaris kernel modules are not signed with elfsign(1):

$ elfsign verify /platform/i86pc/kernel/drv/amd64/vboxnet 
elfsign: no signature found in /platform/i86pc/kernel/drv/amd64/vboxnet.
$ elfsign verify /platform/i86pc/kernel/drv/amd64/vboxdrv 
elfsign: no signature found in /platform/i86pc/kernel/drv/amd64/vboxdrv.
$ elfsign verify /platform/i86pc/kernel/drv/amd64/vboxbow 
elfsign: no signature found in /platform/i86pc/kernel/drv/amd64/vboxbow.
$ elfsign verify /platform/i86pc/kernel/drv/amd64/vboxusbmon 
elfsign: no signature found in /platform/i86pc/kernel/drv/amd64/vboxusbmon.
$ elfsign verify /platform/i86pc/kernel/drv/amd64/vboxusb 
elfsign: no signature found in /platform/i86pc/kernel/drv/amd64/vboxusb.

In a future version of Solaris, a warning message may be generated for unsigned modules.

Here's an example on how to sign a kernel module on Solaris. This example uses self-signed certs. An official CA-issued cert would be better.

$ pktool gencert keystore=file serial=0x1 format=pem lifetime=20-year \
    keytype=rsa hash=sha256 outcert=virtualbox.pem outkey=virtualbox.key \
    subject="O=Oracle Corporation, OU=VirtualBox, CN=virtualbox.org"
$ su
# cp virtualbox.pem /etc/certs

$ elfsign sign -v -c virtualbox.pem -k virtualbox.key vboxnet
elfsign: vboxnet signed successfully.
format: rsa_sha256.
signer: O=Oracle Corporation, OU=VirtualBox, CN=virtualbox.org
signed on: Wed Jan 08 17:53:44 2014.

$ elfsign verify -v vboxnet
elfsign: verification of vboxnet passed.
format: rsa_sha256.
signer: O=Oracle Corporation, OU=VirtualBox, CN=virtualbox.org
signed on: Wed Jan 08 17:53:44 2014.

Change History

comment:1 Changed 4 years ago by ramshankar

  • Description modified (diff)

comment:2 Changed 4 years ago by ramshankar

  • Description modified (diff)

comment:3 Changed 4 years ago by klaus

  • Cc dan.anderson@… removed

We'll look into this... if it's not much work and if it turns out that Solaris accepts Windows driver signing certs (one of those super expensive special code signing certs we have to have) then it might be possible to get this into the next major release. BTW, we also listen on the internal Oracle bug tracking tools ;)

comment:4 Changed 22 months ago by danxyz

As a data point, this error is still present with VirtualBox 5.0.14 installed on a VirtualBox host running Solaris 11.3 (January 2016).

comment:5 Changed 21 months ago by frank

danxyz, all VBox 5.0.x kernel modules are signed on Solaris. Please provide the output of the tool you used to check if the modules are signed or not.

comment:6 Changed 21 months ago by frank

Actually I take that back. There is some problem on our side...

comment:7 Changed 20 months ago by frank

The most recent 5.0.x Solaris test build should have the modules properly signed. Could you confirm?

comment:8 Changed 19 months ago by frank

  • Status changed from new to closed
  • Resolution set to fixed

Fix is part of VBox 5.0.18.

Note: See TracTickets for help on using tickets.

www.oracle.com
ContactPrivacy policyTerms of Use