Upcoming Security PSARC cases
There are some hints in the PSARC case log, that the project surrounding “Validated Execution” is taking up speed. The target is to provide an operating environment where just binaries are executed that were validated before:
- PSARC 2009/668: bart Extensions
The bart file system audit facility is extended:
a) use an extensible XML-format manifest
b) support additional hash algorithm for content verification
c) provide for direct validation of files against a manifest
d) provide for signing and signature verification of manifests - PSARC/2009/669: Signed Execution Daemon
Kernel enforcement of object validation via upcall to daemon.
If the daemon is not present, execution proceeds without
restriction. This subproject depends on the bart extensions
(PSARC 2009/668) - PSARC/2009/670: Read-Only Boot from ZFS Snapshot
Allow for booting from a ZFS snapshot. The boot image will be read-only. Early in boot a clone of the root
is created and used to provide writable storage for the system image during its lifetime. Upon reboot, the
system image will reset to the same previous state. - PSARC/2009/671: Validated Boot
This project combines and extends the bart extensions
(PSARC 2009/668), signed execution daemon (PSARC 2009/669),
and boot from snapshot functionality (PSARC 2009/670)
to provide a validated environment from boot.
</ul>
There aren't more pieces of public information in the directories of the case log at the moment. But those developments are really interesting ones. :)