Review for 6414175 kcf.conf (due Oct. 23)
Dan Anderson
opensolaris at drydog.com
Tue Oct 14 17:33:51 PDT 2008
Here's a review for:
6414175 kcf.conf's supportedlist not providing much usefulness
http://dan.drydog.com/reviews/6414175-kcfconf/
This removes initial /etc/crypto/kcf.conf entries for kernel software providers. This eliminates a need to modify kcf.conf when these providers are installed/removed. Removing this need is motivated by the fact that OpenSolaris IPS packages have no easy method of editing configuration files.
The kcf.conf entries can still be present if cryptoadm(1M) disabled a software provider or mechanism.
Requirements:
R-1. Initial (default) entries in kcf.conf should be pre-populated in KCF when the module is loaded.
R-2. Adding new crypto modules to KCF will require no upgrade to kcf.conf
R-3. The initial kcf.conf file should be empty (except for comments)
R-4. User modifications to kcf.conf shall continue to be only via cryptoadm enable/cryptoadm disable.
R-5. Third-party crypto modules will still be able to add KCF modules by adding a supportedlist line to kcf.conf.
Implementation:
In the kcf kernel module, soft_config_list is a linked list of crypto provider/mechanism entries. Currently it is initialized from kcf.conf when the cryptosvc service started via the CRYPTO_LOAD_SOFT_CONFIG ioctl().
Change kcf_cryptoadm.c so when the kcf module is loaded, kcf_soft_init() will initialize the soft_config_list linked list with the list of default kernel modules and their respective mechanism names.
Remove all non-comment entries in the initial default kcf.conf file and from the postinstall/preremove package files.
--
This message posted from opensolaris.org
More information about the crypto-discuss
mailing list