On Fri, 16 Oct 2009, Neale Ferguson wrote: > I have ported OpenSolaris to System z. One of the components > missing that results in services not starting (cryptosvc and related), > is that kcfd is closed source due to export restrictions. Are > these restrictions still current? It'd be nice to have this > code part of ON so it could be built for new platforms.
Unfortunately, those restrictions are still current. We are always reinvestigating this area, and would very much like to see this change. You should be able to use kcfd from the closed bin tar ball, though. > Also, I cannot build pkcs11_tpm because libtspi is not available. > I can't see that in the ON tree so I assume it is closed source too. IIRC building of pkcs11_tpm, and the rest of the tpm stuff, relies on packages that are from other consolidations. I've cc'ed someone here who may know more. > Likewise SUNWosnetCF etc. used to sign these guys don't > appear in the closed_bins package. That is correct - those certificates are for internal only use, BUT you can get your own signing certificate to sign crypto objects as part of your build. Please see "elfsign request" and we should be able to issue you a certificate, pending checks against the Denied and Restricted Party List and a couple of other US export regulation required checks we need to do. Having your own certificate key/pair should help you do your own builds much more easily. Let us know if there's anything else we can do to help! Valerie -- Valerie Fenwick, http://blogs.sun.com/bubbva/ @bubbva Solaris Security Technologies, Developer, Sun Microsystems, Inc. 17 Network Circle, Menlo Park, CA, 94025.
