System Administration Guide: Security Services

ProcedureHow to Prevent the Use of a Kernel Software Provider

If the cryptographic framework provides multiple modes of a provider such as AES, you might remove a slow mechanism from use, or a corrupted mechanism. This procedure uses the AES algorithm as an example.

  1. Become superuser or assume a role that includes the Crypto Management rights profile.

    To create a role that includes the Crypto Management rights profile and assign the role to a user, see Example 9–7.

  2. List the mechanisms that are offered by a particular kernel software provider.


    $ cryptoadm list -m provider=aes
    aes: CKM_AES_ECB,CKM_AES_CBC
  3. List the mechanisms that are available for use.


    $ cryptoadm list -p provider=aes
    aes: all mechanisms are enabled.
  4. Disable the mechanism that should not be used.


    $ cryptoadm disable provider=aes mechanism=CKM_AES_ECB
    
  5. List the mechanisms that are available for use.


    $ cryptoadm list -p provider=aes
    aes: all mechanisms are enabled, except CKM_AES_ECB.

Example 14–25 Enabling a Kernel Software Provider Mechanism

In the following example, a disabled AES mechanism is again made available for use.


cryptoadm list -m provider=aes
aes: CKM_AES_ECB,CKM_AES_CBC
$ cryptoadm list -p provider=aes
aes: all mechanisms are enabled, except CKM_AES_ECB.
$ cryptoadm enable provider=aes mechanism=CKM_AES_ECB
$ cryptoadm list -p provider=aes
aes: all mechanisms are enabled.


Example 14–26 Temporarily Removing Kernel Software Provider Availability

In the following example, the AES provider is temporarily removed from use. The unload subcommand is useful to prevent a provider from being loaded automatically while the provider is being uninstalled. For example, the unload subcommand would be used when installing a patch that affects the provider.


$ cryptoadm unload provider=aes

$ cryptoadm list 
…
Kernel software providers:
	des
	aes (inactive)
	arcfour
	blowfish
	ecc
	sha1
	sha2
	md4
	md5
	rsa
	swrand

The AES provider is unavailable until the cryptographic framework is refreshed.


$ svcadm refresh system/cryptosvc

$ cryptoadm list 
…
Kernel software providers:
	des
	aes
	arcfour
	blowfish
	ecc
	sha1
	sha2
	md4
	md5
	rsa
	swrand

If a kernel consumer is using the kernel software provider, the software is not unloaded. An error message is displayed and the provider continues to be available for use.



Example 14–27 Permanently Removing Software Provider Availability

In the following example, the AES provider is removed from use. Once removed, the AES provider does not appear in the policy listing of kernel software providers.


$ cryptoadm uninstall provider=aes

$ cryptoadm list 
…
Kernel software providers:
	des
	arcfour
	blowfish
	ecc
	sha1
	sha2
	md4
	md5
	rsa
	swrand

If a kernel consumer is using the kernel software provider, an error message is displayed and the provider continues to be available for use.



Example 14–28 Reinstalling a Removed Kernel Software Provider

In the following example, the AES kernel software provider is reinstalled.


$ cryptoadm install provider=aes mechanism=CKM_AES_ECB,CKM_AES_CBC

$ cryptoadm list 
…
Kernel software providers:
	des
	aes
	arcfour
	blowfish
	ecc
	sha1
	sha2
	md4
	md5
	rsa
	swrand