Dan Anderson wrote:
> This removes initial /etc/crypto/kcf.conf entries for kernel software
> providers. This eliminates a need to modify kcf.conf when these providers
> are installed/removed. Removing this need is motivated by the fact that
> OpenSolaris IPS packages have no easy method of editing configuration files.
>
Couple of questions on the requirements and design. Not a code review.
- What happens when an S10 system is upgraded to a Nevada build? Let us
assume
that the Nevada build is using SVR4 packaging. Assume the S10 system has
a modified kcf.conf file.
> The kcf.conf entries can still be present if cryptoadm(1M) disabled a
> software provider or mechanism.
>
> Requirements:
> R-1. Initial (default) entries in kcf.conf should be pre-populated in KCF
> when the module is loaded.
> R-2. Adding new crypto modules to KCF will require no upgrade to kcf.conf
>
> R-3. The initial kcf.conf file should be empty (except for comments)
> R-4. User modifications to kcf.conf shall continue to be only via cryptoadm
> enable/cryptoadm disable.
> R-5. Third-party crypto modules will still be able to add KCF modules by
> adding a supportedlist line to kcf.conf.
>
Can you describe step-by-step how a non-ON or third-party hardware
provider (like SCA6000)
is supposed to work in the new world? This will be useful documentation
to provide
to provider writers.
For reference, this is what we have in the current packaging design
document -
=============================================================
3rd party Packaging Procedure for KEF hardware device drivers
=============================================================
When a 3rd party builds a package for kernel hardware device drivers, they
need to
1. Add the "kcfconf" class into the CLASSES string of the pkginfo.tmpl
file.
2. Create an input file "kcf.conf" in the "etc/crypto" directory.
The syntax of the input file is
driver_names=<driver_name_list>
where <driver_name_list> ::= <name>{,<name>}*
<name> ::= a device driver name
A driver package can contain one or more drivers. An input file example
for a device driver package that contains only one driver is as follows:
driver_names=dca
Internal Design Rationale:
During the pkgadd time, the "i.kcfconf" script will take the input file
and add a section of this package into the KEF configuration file
/etc/crypto/kcf.conf. When an administrator uses the cryptoadm command
to explicitely disable some mechanisms for a hardware provider, the
cryptoadm command will look up the corresponding driver section for the
hardware provider and insert its policy information.
Thanks,
-Krishna
