﻿id,summary,reporter,owner,description,type,status,component,version,resolution,keywords,cc,guest,host
12608,VirtualBox Solaris kernel modules are not signed,Dan A.,,"!VirtualBox Solaris kernel modules are not signed with elfsign(1):
{{{
$ elfsign verify /platform/i86pc/kernel/drv/amd64/vboxnet 
elfsign: no signature found in /platform/i86pc/kernel/drv/amd64/vboxnet.
$ elfsign verify /platform/i86pc/kernel/drv/amd64/vboxdrv 
elfsign: no signature found in /platform/i86pc/kernel/drv/amd64/vboxdrv.
$ elfsign verify /platform/i86pc/kernel/drv/amd64/vboxbow 
elfsign: no signature found in /platform/i86pc/kernel/drv/amd64/vboxbow.
$ elfsign verify /platform/i86pc/kernel/drv/amd64/vboxusbmon 
elfsign: no signature found in /platform/i86pc/kernel/drv/amd64/vboxusbmon.
$ elfsign verify /platform/i86pc/kernel/drv/amd64/vboxusb 
elfsign: no signature found in /platform/i86pc/kernel/drv/amd64/vboxusb.
}}}

In a future version of Solaris, a warning message may be generated for unsigned modules.

Here's an example on how to sign a kernel module on Solaris. This example uses self-signed certs.  An official CA-issued cert would be better.

{{{
$ pktool gencert keystore=file serial=0x1 format=pem lifetime=20-year \
    keytype=rsa hash=sha256 outcert=virtualbox.pem outkey=virtualbox.key \
    subject=""O=Oracle Corporation, OU=VirtualBox, CN=virtualbox.org""
$ su
# cp virtualbox.pem /etc/certs

$ elfsign sign -v -c virtualbox.pem -k virtualbox.key vboxnet
elfsign: vboxnet signed successfully.
format: rsa_sha256.
signer: O=Oracle Corporation, OU=VirtualBox, CN=virtualbox.org
signed on: Wed Jan 08 17:53:44 2014.

$ elfsign verify -v vboxnet
elfsign: verification of vboxnet passed.
format: rsa_sha256.
signer: O=Oracle Corporation, OU=VirtualBox, CN=virtualbox.org
signed on: Wed Jan 08 17:53:44 2014.
}}}",enhancement,closed,installer,VirtualBox 4.3.6,fixed,"signing, elfsign",,other,Solaris
