I am sponsoring this fast-track for myself. The timer will expire
Dec 07, 2007.
Summary:
This case amends several older cases ([1], [2], [3], [4], [5], [7],
[8]) by moving various objects and subdirectories from /usr to /.
I am requesting to leave the taxonomy of these objects unchanged,
with a patch binding.
Problem:
The signature validation services required both for the
cryptographic framework ([3], [4]) and the planned signed execution
project ([6]) at present are restricted to starting after /usr is
mounted since several dependent libraries and plugins are in
subdirectories of /usr. For cryptographic services, this impedes
other services that require cryptographic support early in the
lifetime of the system, most obviously network services for the
secure mounting of /usr. For signed execution, this increases the
number of objects that require special "pre-validation" mechanisms
before the signed execution validation service can come online.
Proposed Changes:
The following table lists the primary objects being moved or
created. Any corresponding 64-bit versions, generic symlinks, and
lint libraries will be relocated in the same fashion. This list is
predicated on the removal of /usr/lib/libcrypto_extra.so.0.9.8 and
/usr/lib/libssl_extra.so.0.9.8 by [8].
Note Old Location New Location
A /usr/sbin/cryptoadm /sbin/cryptoadm
B /lib/crypto
/usr/lib/crypto/kcfd /lib/crypto/kcfd
C /usr/lib/libcrypto.so.0.9.8 /lib/libcrypto.so.0.9.8
/usr/lib/libcryptoutil.so.1 /lib/libcryptoutil.so.1
/usr/lib/libelfsign.so.1 /lib/libelfsign.so.1
A /usr/lib/libkmf.so.1 /lib/libkmf.so.1
/usr/lib/libkmfberder.so.1 /lib/libkmfberder.so.1
D /usr/lib/security /lib/security
/usr/lib/security/kmf_nss.so.1 /lib/security/kmf_nss.so.1
/usr/lib/security/kmf_openssl.so.1 /lib/security/kmf_openssl.so.1
/usr/lib/security/kmf_pkcs11.so.1 /lib/security/kmf_pkcs11.so.1
C /usr/lib/libssl.so.0.9.8 /lib/libssl.so.0.9.8
A /usr/lib/libxml2.so.2 /lib/libxml2.so.2
A /usr/lib/libz.so.1 /lib/libz.so.1
Notes:
A Symlinks will refer from the former location of these
public objects to their new location.
B New directory with Committed name, Volatile contents.
C These objects have been approved for relocation from
/usr/sfw/lib to /usr/lib by [7].
D This directory becomes the default directory for KMF
plugins [9].
Integration Considerations:
The list of objects spans multiple prior projects. Since the
relocation of these objects are otherwise unrelated, I advise the
committee that it is likely that these changes will be integrated
over multiple integrations.
References:
[1] PSARC/1999/555 Getting with the Freeware Program
[2] PSARC/2001/175 Using XML and libxml in Solaris
[3] PSARC/2001/488 UEF: Userland Encryption Framework
[4] PSARC/2003/627 Retail/nonretail status
[5] PSARC/2005/074 Solaris Key Management Framework
[6] PSARC 2005/295 Barr - Signed Execution
[7] PSARC/2006/555 Move OpenSSL to /usr
[8] PSARC/2006/610 Data Encryption Kit (SUNWcry) Removal
[9] PSARC/2007/604 KMF Pluggability Enhancements
