VirtualBox Solaris kernel modules are not signed

[Dan A.]

VirtualBox Solaris kernel modules are not signed with elfsign(1):

$ elfsign verify /platform/i86pc/kernel/drv/amd64/vboxnet elfsign: no signature found in /platform/i86pc/kernel/drv/amd64/vboxnet. $ elfsign verify /platform/i86pc/kernel/drv/amd64/vboxdrv elfsign: no signature found in /platform/i86pc/kernel/drv/amd64/vboxdrv. $ elfsign verify /platform/i86pc/kernel/drv/amd64/vboxbow elfsign: no signature found in /platform/i86pc/kernel/drv/amd64/vboxbow. $ elfsign verify /platform/i86pc/kernel/drv/amd64/vboxusbmon elfsign: no signature found in /platform/i86pc/kernel/drv/amd64/vboxusbmon. $ elfsign verify /platform/i86pc/kernel/drv/amd64/vboxusb elfsign: no signature found in /platform/i86pc/kernel/drv/amd64/vboxusb.

In a future version of Solaris, a warning message may be generated for unsigned modules.

Here's an example on how to sign a kernel module on Solaris. This example uses self-signed certs. An official CA-issued cert would be better.

$ pktool gencert keystore=file serial=0x1 format=pem lifetime=20-year \

keytype=rsa hash=sha256 outcert=virtualbox.pem outkey=virtualbox.key \ subject="O=Oracle Corporation, OU=VirtualBox, CN=virtualbox.org"

$ su # cp virtualbox.pem /etc/certs

$ elfsign sign -v -c virtualbox.pem -k virtualbox.key vboxnet elfsign: vboxnet signed successfully. format: rsa_sha256. signer: O=Oracle Corporation, OU=VirtualBox, CN=virtualbox.org signed on: Wed Jan 08 17:53:44 2014.

$ elfsign verify -v vboxnet elfsign: verification of vboxnet passed. format: rsa_sha256. signer: O=Oracle Corporation, OU=VirtualBox, CN=virtualbox.org signed on: Wed Jan 08 17:53:44 2014.