Opened 10 years ago
Last modified 6 years ago
#12608 closed enhancement
VirtualBox Solaris kernel modules are not signed — at Initial Version
Reported by: | Dan A. | Owned by: | |
---|---|---|---|
Component: | installer | Version: | VirtualBox 4.3.6 |
Keywords: | signing, elfsign | Cc: | |
Guest type: | other | Host type: | Solaris |
Description
VirtualBox Solaris kernel modules are not signed with elfsign(1):
$ elfsign verify /platform/i86pc/kernel/drv/amd64/vboxnet elfsign: no signature found in /platform/i86pc/kernel/drv/amd64/vboxnet. $ elfsign verify /platform/i86pc/kernel/drv/amd64/vboxdrv elfsign: no signature found in /platform/i86pc/kernel/drv/amd64/vboxdrv. $ elfsign verify /platform/i86pc/kernel/drv/amd64/vboxbow elfsign: no signature found in /platform/i86pc/kernel/drv/amd64/vboxbow. $ elfsign verify /platform/i86pc/kernel/drv/amd64/vboxusbmon elfsign: no signature found in /platform/i86pc/kernel/drv/amd64/vboxusbmon. $ elfsign verify /platform/i86pc/kernel/drv/amd64/vboxusb elfsign: no signature found in /platform/i86pc/kernel/drv/amd64/vboxusb.
In a future version of Solaris, a warning message may be generated for unsigned modules.
Here's an example on how to sign a kernel module on Solaris. This example uses self-signed certs. An official CA-issued cert would be better.
$ pktool gencert keystore=file serial=0x1 format=pem lifetime=20-year \
keytype=rsa hash=sha256 outcert=virtualbox.pem outkey=virtualbox.key \ subject="O=Oracle Corporation, OU=VirtualBox, CN=virtualbox.org"
$ su # cp virtualbox.pem /etc/certs
$ elfsign sign -v -c virtualbox.pem -k virtualbox.key vboxnet elfsign: vboxnet signed successfully. format: rsa_sha256. signer: O=Oracle Corporation, OU=VirtualBox, CN=virtualbox.org signed on: Wed Jan 08 17:53:44 2014.
$ elfsign verify -v vboxnet elfsign: verification of vboxnet passed. format: rsa_sha256. signer: O=Oracle Corporation, OU=VirtualBox, CN=virtualbox.org signed on: Wed Jan 08 17:53:44 2014.