It is not an attempt to lock out 3rd party kernel module or other code from running on Solaris or OpenSolaris distributions. In fact it isn't really intended for use by Sun at all, with one exception that applies to Solaris the binary product but not OpenSolaris (this is a US export requirement because at the time of development of Solaris 10 we couldn't claim it was opens source - we still can't but we should be able to for future releases), it is really intended for use by the end administrator.
Kernel modules, libraries and compiled programs are represented in as ELF objects in Solaris (and in many other UNIX systems too). The ELF object contains many things in addition to the text and data sections that actually describe the program code. For example an ELF object may contain debug information or a comments section that is information about revision history, it also contains information for the linker/loader.
We exploit the fact that ELF is exensible and use that to hold a cryptographic signature of the parts of the ELF object that impact the running program code, basically any ELF section that is marked that it will be taken into memory (eg. SHT_PROGBITS). We make an RSA signed SHA-1 hash of those bits and store it in a new ELF section. You do this using a new program called elfsign(1), it is in the SUNWtoo package.
At this time elfsign(1) takes a raw key and certificate from a file, but will soon (planned for a Solaris 10 update release) have the ability to take it from an PKCS#11 token that is available via the Solaris Cryptographic Framework.
As of the initial release of Solaris 10, for the most part nothing happens with them unless the admin
explicitly askes for verification of a paritcular binary, for example:
$ elfsign verify -e /lib/libc.so.1
elfsign: verification of /lib/libc.so.1 passed.
$ elfsign verify -e /usr/bin/vi
elfsign: verification of /usr/bin/vi passed.
$ elfsign verify -e /kernel/genunix
elfsign: verification of /kernel/genunix passed.
Okay here goes but I did say this wasn't going to be pretty just now...
$ elfsign request -k mykey -r newreq.pem
Enter Company Name / Stock Symbol or some other globally unique identifier.
This will be the prefix of the Certificate DN:
$ mkdir demoCA
$ cp /etc/sfw/openssl/openssl.cnf demoCA
countryName_default =
stateOrProvinceName_default =
0.organizationName_default = Example Sun ISV Ltd
$ export SSLEAY_CONFIG=demoCA/openssl.cnf
$ perl /usr/sfw/bin/CA.pl -newca
$ elfsign sign -k mykey -c mycert -e libmystuff.so.1
$ cp mycert /etc/certs/Example_ISV_Ltd
$ elfsign verify -e libmystuff.so.1
elfsign: verification of /lib/libc.so.1 passed.
Technorati Tag: OpenSolaris
Technorati Tag: Solaris