Developer's Guide to Oracle Solaris Security

Packaging Kernel-Level Provider Modules

    A third-party developer of a kernel-level cryptographic provider module completes the following process. For Solaris builds earlier than build 103, complete all steps. For Solaris build 103 or later, complete only the first two steps.

  1. Acquire a certificate from Oracle Corporation. Then, sign the kernel software module or device driver. See Adding Signatures to Providers.

  2. Ship the certificate with the package. The certificate should be placed in the /etc/crypto/certs directory.


  3. Note –

    The following steps are required only if you are using a Solaris build earlier than build 103. If you are using build 103 or later, the following steps are no longer required and are ignored.


    Add the kcfconf class into the CLASSES string of the pkginfo file. The following line should be added:

    CLASS=none kcfconf
  4. Create an input file kcf.conf in the etc/crypto directory. This file is used to add software and hardware plug-ins to the kernel configuration file.

    • If the provider is a kernel software module with cryptographic mechanisms, use the following syntax for the entry:

      provider-name:supportedlist=mech1,mech2,...
      provider-name

      Base name for the kernel software module

      mech*

      Name of the cryptographic mechanism in the list

      The following entry is an example of a kernel software module:

      des:supportedlist=CKM_DES_CBC,CKM_DES_ECB,CKM_DES_CFB
    • If the provider is a device driver for cryptographic mechanisms, such as an accelerator card, then use the following syntax for the entry:

      driver_names=devicedriver1,devicedriver2,...
      devicedriver*

      Name of a device driver for a cryptographic device.

      The following entry is an example of a device driver:

      driver_names=dca