6849769 crypto modules _init: crypto_register_provider() failed during shutdown

6885135 assertion failed: kcf_dh != NULL
6907099 module load/unload errors could be a little less techie and ominous

14 files changed, 197 insertions, 269 deletions

diff --git a/usr/src/uts/common/crypto/core/kcf.c b/usr/src/uts/common/crypto/core/kcf.c
index 2b0701e0bd..ea1f125821 100644
--- a/usr/src/uts/common/crypto/core/kcf.c
+++ b/usr/src/uts/common/crypto/core/kcf.c
@@ -87,6 +87,7 @@ static struct modlinkage modlinkage = {
 };
 
 static int rngtimer_started;
+extern int sys_shutdown;
 
 int
 _init()
@@ -685,9 +686,9 @@ kcf_verify_signature(void *arg)
 		if (rkda != kda)
 			kmem_free(rkda, darg.rsize);
 
-	} else {
-		cmn_err(CE_WARN, "Module verification door upcall failed "
-		    "for %s. errno = %d", filename, rv);
+	} else if (sys_shutdown == 0) {
+		cmn_err(CE_WARN, "Unable to use door to kcfd during module "
+		    "verification of %s. (errno: 0x%x)", filename, rv);
 	}
 
 	kmem_free(kda, sizeof (kcf_door_arg_t) + mp->sigsize);
@@ -721,8 +722,12 @@ out:
 int
 crypto_load_door(uint_t did)
 {
+	door_handle_t dh;
+
 	mutex_enter(&kcf_dh_lock);
-	kcf_dh = door_ki_lookup(did);
+	dh = door_ki_lookup(did);
+	if (dh != NULL)
+		kcf_dh = dh;
 	mutex_exit(&kcf_dh_lock);
 
 	verify_unverified_providers();
diff --git a/usr/src/uts/common/crypto/core/kcf_prov_tabs.c b/usr/src/uts/common/crypto/core/kcf_prov_tabs.c
index 0d72669f06..dd238b2a1c 100644
--- a/usr/src/uts/common/crypto/core/kcf_prov_tabs.c
+++ b/usr/src/uts/common/crypto/core/kcf_prov_tabs.c
@@ -884,7 +884,9 @@ verify_unverified_providers()
 	kcf_provider_desc_t *pd;
 	boolean_t need_verify;
 
-	ASSERT(kcf_dh != NULL);
+	if (kcf_dh == NULL)
+		return;
+
 	mutex_enter(&prov_tab_mutex);
 
 	for (i = 0; i < KCF_MAX_PROVIDERS; i++) {
diff --git a/usr/src/uts/common/crypto/io/aes.c b/usr/src/uts/common/crypto/io/aes.c
index 45044e1940..328599e331 100644
--- a/usr/src/uts/common/crypto/io/aes.c
+++ b/usr/src/uts/common/crypto/io/aes.c
@@ -19,7 +19,7 @@
  * CDDL HEADER END
  */
 /*
- * Copyright 2009 Sun Microsystems, Inc.  All rights reserved.
+ * Copyright 2010 Sun Microsystems, Inc.  All rights reserved.
  * Use is subject to license terms.
  */
 
@@ -232,51 +232,26 @@ _init(void)
 {
 	int ret;
 
-	/*
-	 * Register with KCF. If the registration fails, return error.
-	 */
-	if ((ret = crypto_register_provider(&aes_prov_info,
-	    &aes_prov_handle)) != CRYPTO_SUCCESS) {
-		cmn_err(CE_WARN, "%s _init: crypto_register_provider()"
-		    "failed (0x%x)", CRYPTO_PROVIDER_NAME, ret);
-		return (EACCES);
-	}
+	if ((ret = mod_install(&modlinkage)) != 0)
+		return (ret);
 
-	if ((ret = mod_install(&modlinkage)) != 0) {
-		int rv;
-
-		ASSERT(aes_prov_handle != NULL);
-		/* We should not return if the unregister returns busy. */
-		while ((rv = crypto_unregister_provider(aes_prov_handle))
-		    == CRYPTO_BUSY) {
-			cmn_err(CE_WARN,
-			    "%s _init: crypto_unregister_provider() "
-			    "failed (0x%x). Retrying.",
-			    CRYPTO_PROVIDER_NAME, rv);
-			/* wait 10 seconds and try again. */
-			delay(10 * drv_usectohz(1000000));
-		}
+	/* Register with KCF.  If the registration fails, remove the module. */
+	if (crypto_register_provider(&aes_prov_info, &aes_prov_handle)) {
+		(void) mod_remove(&modlinkage);
+		return (EACCES);
 	}
 
-	return (ret);
+	return (0);
 }
 
 int
 _fini(void)
 {
-	int ret;
-
-	/*
-	 * Unregister from KCF if previous registration succeeded.
-	 */
+	/* Unregister from KCF if module is registered */
 	if (aes_prov_handle != NULL) {
-		if ((ret = crypto_unregister_provider(aes_prov_handle)) !=
-		    CRYPTO_SUCCESS) {
-			cmn_err(CE_WARN,
-			    "%s _fini: crypto_unregister_provider() "
-			    "failed (0x%x)", CRYPTO_PROVIDER_NAME, ret);
+		if (crypto_unregister_provider(aes_prov_handle))
 			return (EBUSY);
-		}
+
 		aes_prov_handle = NULL;
 	}
 
diff --git a/usr/src/uts/common/crypto/io/arcfour.c b/usr/src/uts/common/crypto/io/arcfour.c
index 4607862a6e..fe6a64497d 100644
--- a/usr/src/uts/common/crypto/io/arcfour.c
+++ b/usr/src/uts/common/crypto/io/arcfour.c
@@ -152,29 +152,13 @@ _init(void)
 {
 	int ret;
 
-	/*
-	 * Register with KCF. If the registration fails, log an error
-	 * and uninstall the module.
-	 */
-	if ((ret = crypto_register_provider(&rc4_prov_info,
-	    &rc4_prov_handle)) != CRYPTO_SUCCESS) {
-		cmn_err(CE_WARN, "_init: crypto_register_provider(%s)"
-		    "failed (0x%x)", "arcfour", ret);
-		return (EACCES);
-	}
+	if ((ret = mod_install(&modlinkage)) != 0)
+		return (ret);
 
-	if ((ret = mod_install(&modlinkage)) != 0) {
-		int rv;
-
-		ASSERT(rc4_prov_handle != NULL);
-		/* We should not return if the unregister returns busy. */
-		while ((rv = crypto_unregister_provider(rc4_prov_handle))
-		    == CRYPTO_BUSY) {
-			cmn_err(CE_WARN, "_init: crypto_unregister_provider(%s)"
-			    " failed (0x%x). Retrying.", "arcfour", rv);
-			/* wait 10 seconds and try again. */
-			delay(10 * drv_usectohz(1000000));
-		}
+	/* Register with KCF.  If the registration fails, remove the module. */
+	if (crypto_register_provider(&rc4_prov_info, &rc4_prov_handle)) {
+		(void) mod_remove(&modlinkage);
+		return (EACCES);
 	}
 
 	return (0);
@@ -183,18 +167,11 @@ _init(void)
 int
 _fini(void)
 {
-	int ret;
-
-	/*
-	 * Unregister from KCF if previous registration succeeded.
-	 */
+	/* Unregister from KCF if module is registered */
 	if (rc4_prov_handle != NULL) {
-		if ((ret = crypto_unregister_provider(rc4_prov_handle)) !=
-		    CRYPTO_SUCCESS) {
-			cmn_err(CE_WARN, "_fini: crypto_unregister_provider(%s)"
-			    " failed (0x%x)", "arcfour", ret);
+		if (crypto_unregister_provider(rc4_prov_handle))
 			return (EBUSY);
-		}
+
 		rc4_prov_handle = NULL;
 	}
 
diff --git a/usr/src/uts/common/crypto/io/blowfish.c b/usr/src/uts/common/crypto/io/blowfish.c
index 92b23b5aa4..f475f1e961 100644
--- a/usr/src/uts/common/crypto/io/blowfish.c
+++ b/usr/src/uts/common/crypto/io/blowfish.c
@@ -19,12 +19,10 @@
  * CDDL HEADER END
  */
 /*
- * Copyright 2008 Sun Microsystems, Inc.  All rights reserved.
+ * Copyright 2010 Sun Microsystems, Inc.  All rights reserved.
  * Use is subject to license terms.
  */
 
-#pragma ident	"%Z%%M%	%I%	%E% SMI"
-
 /*
  * Blowfish provider for the Kernel Cryptographic Framework (KCF)
  */
@@ -203,51 +201,27 @@ _init(void)
 {
 	int ret;
 
-	/*
-	 * Register with KCF. If the registration fails, return error.
-	 */
-	if ((ret = crypto_register_provider(&blowfish_prov_info,
-	    &blowfish_prov_handle)) != CRYPTO_SUCCESS) {
-		cmn_err(CE_WARN, "%s _init: crypto_register_provider() "
-		    "failed (0x%x)", CRYPTO_PROVIDER_NAME, ret);
-		return (EACCES);
-	}
+	if ((ret = mod_install(&modlinkage)) != 0)
+		return (ret);
 
-	if ((ret = mod_install(&modlinkage)) != 0) {
-		int rv;
-
-		ASSERT(blowfish_prov_handle != NULL);
-		/* We should not return if the unregister returns busy. */
-		while ((rv = crypto_unregister_provider(blowfish_prov_handle))
-		    == CRYPTO_BUSY) {
-			cmn_err(CE_WARN,
-			    "%s _init: crypto_unregister_provider() "
-			    "failed (0x%x). Retrying.",
-			    CRYPTO_PROVIDER_NAME, rv);
-			/* wait 10 seconds and try again */
-			delay(10 * drv_usectohz(1000000));
-		}
+	/* Register with KCF.  If the registration fails, remove the module. */
+	if (crypto_register_provider(&blowfish_prov_info,
+	    &blowfish_prov_handle)) {
+		(void) mod_remove(&modlinkage);
+		return (EACCES);
 	}
 
-	return (ret);
+	return (0);
 }
 
 int
 _fini(void)
 {
-	int ret;
-
-	/*
-	 * Unregister from KCF if previous registration succeeded.
-	 */
+	/* Unregister from KCF if module is registered */
 	if (blowfish_prov_handle != NULL) {
-		if ((ret = crypto_unregister_provider(blowfish_prov_handle)) !=
-		    CRYPTO_SUCCESS) {
-			cmn_err(CE_WARN,
-			    "%s _fini: crypto_unregister_provider() "
-			    "failed (0x%x)", CRYPTO_PROVIDER_NAME, ret);
+		if (crypto_unregister_provider(blowfish_prov_handle))
 			return (EBUSY);
-		}
+
 		blowfish_prov_handle = NULL;
 	}
 
diff --git a/usr/src/uts/common/crypto/io/ecc.c b/usr/src/uts/common/crypto/io/ecc.c
index 1cd7a26ed1..3d1a2c6317 100644
--- a/usr/src/uts/common/crypto/io/ecc.c
+++ b/usr/src/uts/common/crypto/io/ecc.c
@@ -19,7 +19,7 @@
  * CDDL HEADER END
  */
 /*
- * Copyright 2009 Sun Microsystems, Inc.  All rights reserved.
+ * Copyright 2010 Sun Microsystems, Inc.  All rights reserved.
  * Use is subject to license terms.
  */
 
@@ -248,50 +248,26 @@ _init(void)
 {
 	int ret;
 
-	/*
-	 * Register with KCF. If the registration fails, return error.
-	 */
-	if ((ret = crypto_register_provider(&ecc_prov_info,
-	    &ecc_prov_handle)) != CRYPTO_SUCCESS) {
-		cmn_err(CE_WARN, "ecc _init: crypto_register_provider()"
-		    "failed (0x%x)", ret);
-		return (EACCES);
-	}
+	if ((ret = mod_install(&modlinkage)) != 0)
+		return (ret);
 
-	if ((ret = mod_install(&modlinkage)) != 0) {
-		int rv;
-
-		ASSERT(ecc_prov_handle != NULL);
-		/* We should not return if the unregister returns busy. */
-		while ((rv = crypto_unregister_provider(ecc_prov_handle))
-		    == CRYPTO_BUSY) {
-			cmn_err(CE_WARN, "ecc _init: "
-			    "crypto_unregister_provider() "
-			    "failed (0x%x). Retrying.", rv);
-			/* wait 10 seconds and try again. */
-			delay(10 * drv_usectohz(1000000));
-		}
+	/* Register with KCF.  If the registration fails, remove the module. */
+	if (crypto_register_provider(&ecc_prov_info, &ecc_prov_handle)) {
+		(void) mod_remove(&modlinkage);
+		return (EACCES);
 	}
 
-	return (ret);
+	return (0);
 }
 
 int
 _fini(void)
 {
-	int ret;
-
-	/*
-	 * Unregister from KCF if previous registration succeeded.
-	 */
+	/* Unregister from KCF if module is registered */
 	if (ecc_prov_handle != NULL) {
-		if ((ret = crypto_unregister_provider(ecc_prov_handle)) !=
-		    CRYPTO_SUCCESS) {
-			cmn_err(CE_WARN, "ecc _fini: "
-			    "crypto_unregister_provider() "
-			    "failed (0x%x)", ret);
+		if (crypto_unregister_provider(ecc_prov_handle))
 			return (EBUSY);
-		}
+
 		ecc_prov_handle = NULL;
 	}
 
diff --git a/usr/src/uts/common/crypto/io/md4_mod.c b/usr/src/uts/common/crypto/io/md4_mod.c
index 8fb8fdd622..b574a0df39 100644
--- a/usr/src/uts/common/crypto/io/md4_mod.c
+++ b/usr/src/uts/common/crypto/io/md4_mod.c
@@ -20,10 +20,9 @@
  */
 
 /*
- * Copyright 2007 Sun Microsystems, Inc.  All rights reserved.
+ * Copyright 2010 Sun Microsystems, Inc.  All rights reserved.
  * Use is subject to license terms.
  */
-#pragma ident	"%Z%%M%	%I%	%E% SMI"
 
 /*
  * In kernel module, the md4 module is created with one modlinkage,
@@ -165,16 +164,10 @@ _init(void)
 	if ((ret = mod_install(&modlinkage)) != 0)
 		return (ret);
 
-	/*
-	 * Register with KCF. If the registration fails, log an
-	 * error and uninstall the module.
-	 */
-	if ((ret = crypto_register_provider(&md4_prov_info,
-	    &md4_prov_handle)) != CRYPTO_SUCCESS) {
-		cmn_err(CE_WARN, "md4 _init: "
-		    "crypto_register_provider() failed (0x%x)", ret);
+	/* Register with KCF.  If the registration fails, remove the module. */
+	if (crypto_register_provider(&md4_prov_info, &md4_prov_handle)) {
 		(void) mod_remove(&modlinkage);
-		return (ret);
+		return (EACCES);
 	}
 
 	return (0);
@@ -183,18 +176,11 @@ _init(void)
 int
 _fini(void)
 {
-	int ret;
-
-	/*
-	 * Unregister from KCF if previous registration succeeded.
-	 */
+	/* Unregister from KCF if module is registered */
 	if (md4_prov_handle != NULL) {
-		if ((ret = crypto_unregister_provider(md4_prov_handle)) !=
-		    CRYPTO_SUCCESS) {
-			cmn_err(CE_WARN, "md4 _fini: "
-			    "crypto_unregister_provider() failed (0x%x)", ret);
+		if (crypto_unregister_provider(md4_prov_handle))
 			return (EBUSY);
-		}
+
 		md4_prov_handle = NULL;
 	}
 
diff --git a/usr/src/uts/common/crypto/io/md5_mod.c b/usr/src/uts/common/crypto/io/md5_mod.c
index 3e40ddf68c..7c7759dfc5 100644
--- a/usr/src/uts/common/crypto/io/md5_mod.c
+++ b/usr/src/uts/common/crypto/io/md5_mod.c
@@ -20,7 +20,7 @@
  */
 
 /*
- * Copyright 2009 Sun Microsystems, Inc.  All rights reserved.
+ * Copyright 2010 Sun Microsystems, Inc.  All rights reserved.
  * Use is subject to license terms.
  */
 
@@ -244,14 +244,11 @@ _init(void)
 		return (ret);
 
 	/*
-	 * Register with KCF. If the registration fails, log an
-	 * error but do not uninstall the module, since the functionality
-	 * provided by misc/md5 should still be available.
+	 * Register with KCF.  If the registration fails, do not uninstall the
+	 * module, since the functionality provided by misc/md5 should still be
+	 * available.
 	 */
-	if ((ret = crypto_register_provider(&md5_prov_info,
-	    &md5_prov_handle)) != CRYPTO_SUCCESS)
-		cmn_err(CE_WARN, "md5 _init: "
-		    "crypto_register_provider() failed (0x%x)", ret);
+	(void) crypto_register_provider(&md5_prov_info, &md5_prov_handle);
 
 	return (0);
 }
@@ -266,11 +263,9 @@ _fini(void)
 	 */
 	if (md5_prov_handle != NULL) {
 		if ((ret = crypto_unregister_provider(md5_prov_handle)) !=
-		    CRYPTO_SUCCESS) {
-			cmn_err(CE_WARN, "md5 _fini: "
-			    "crypto_unregister_provider() failed (0x%x)", ret);
-			return (EBUSY);
-		}
+		    CRYPTO_SUCCESS)
+			return (ret);
+
 		md5_prov_handle = NULL;
 	}
 
diff --git a/usr/src/uts/common/crypto/io/rsa.c b/usr/src/uts/common/crypto/io/rsa.c
index b81b52c829..d38d7f18e8 100644
--- a/usr/src/uts/common/crypto/io/rsa.c
+++ b/usr/src/uts/common/crypto/io/rsa.c
@@ -337,50 +337,26 @@ _init(void)
 {
 	int ret;
 
-	/*
-	 * Register with KCF. If the registration fails, return error.
-	 */
-	if ((ret = crypto_register_provider(&rsa_prov_info,
-	    &rsa_prov_handle)) != CRYPTO_SUCCESS) {
-		cmn_err(CE_WARN, "rsa _init: crypto_register_provider()"
-		    "failed (0x%x)", ret);
-		return (EACCES);
-	}
+	if ((ret = mod_install(&modlinkage)) != 0)
+		return (ret);
 
-	if ((ret = mod_install(&modlinkage)) != 0) {
-		int rv;
-
-		ASSERT(rsa_prov_handle != NULL);
-		/* We should not return if the unregister returns busy. */
-		while ((rv = crypto_unregister_provider(rsa_prov_handle))
-		    == CRYPTO_BUSY) {
-			cmn_err(CE_WARN, "rsa _init: "
-			    "crypto_unregister_provider() "
-			    "failed (0x%x). Retrying.", rv);
-			/* wait 10 seconds and try again. */
-			delay(10 * drv_usectohz(1000000));
-		}
+	/* Register with KCF.  If the registration fails, remove the module. */
+	if (crypto_register_provider(&rsa_prov_info, &rsa_prov_handle)) {
+		(void) mod_remove(&modlinkage);
+		return (EACCES);
 	}
 
-	return (ret);
+	return (0);
 }
 
 int
 _fini(void)
 {
-	int ret;
-
-	/*
-	 * Unregister from KCF if previous registration succeeded.
-	 */
+	/* Unregister from KCF if module is registered */
 	if (rsa_prov_handle != NULL) {
-		if ((ret = crypto_unregister_provider(rsa_prov_handle)) !=
-		    CRYPTO_SUCCESS) {
-			cmn_err(CE_WARN, "rsa _fini: "
-			    "crypto_unregister_provider() "
-			    "failed (0x%x)", ret);
+		if (crypto_unregister_provider(rsa_prov_handle))
 			return (EBUSY);
-		}
+
 		rsa_prov_handle = NULL;
 	}
 
diff --git a/usr/src/uts/common/crypto/io/sha1_mod.c b/usr/src/uts/common/crypto/io/sha1_mod.c
index 2ed4c9275d..001eec766b 100644
--- a/usr/src/uts/common/crypto/io/sha1_mod.c
+++ b/usr/src/uts/common/crypto/io/sha1_mod.c
@@ -20,7 +20,7 @@
  */
 
 /*
- * Copyright 2009 Sun Microsystems, Inc.  All rights reserved.
+ * Copyright 2010 Sun Microsystems, Inc.  All rights reserved.
  * Use is subject to license terms.
  */
 
@@ -211,14 +211,11 @@ _init()
 		return (ret);
 
 	/*
-	 * Register with KCF. If the registration fails, log an
-	 * error but do not uninstall the module, since the functionality
-	 * provided by misc/sha1 should still be available.
+	 * Register with KCF. If the registration fails, log do not uninstall
+	 * the module, since the functionality provided by misc/sha1 should
+	 * still be available.
 	 */
-	if ((ret = crypto_register_provider(&sha1_prov_info,
-	    &sha1_prov_handle)) != CRYPTO_SUCCESS)
-		cmn_err(CE_WARN, "sha1 _init: "
-		    "crypto_register_provider() failed (0x%x)", ret);
+	(void) crypto_register_provider(&sha1_prov_info, &sha1_prov_handle);
 
 	return (0);
 }
diff --git a/usr/src/uts/common/crypto/io/sha2_mod.c b/usr/src/uts/common/crypto/io/sha2_mod.c
index 44f4c24ff8..2d353ae499 100644
--- a/usr/src/uts/common/crypto/io/sha2_mod.c
+++ b/usr/src/uts/common/crypto/io/sha2_mod.c
@@ -20,7 +20,7 @@
  */
 
 /*
- * Copyright 2009 Sun Microsystems, Inc.  All rights reserved.
+ * Copyright 2010 Sun Microsystems, Inc.  All rights reserved.
  * Use is subject to license terms.
  */
 
@@ -237,14 +237,11 @@ _init()
 		return (ret);
 
 	/*
-	 * Register with KCF. If the registration fails, log an
-	 * error but do not uninstall the module, since the functionality
-	 * provided by misc/sha2 should still be available.
+	 * Register with KCF. If the registration fails, do not uninstall the
+	 * module, since the functionality provided by misc/sha2 should still
+	 * be available.
 	 */
-	if ((ret = crypto_register_provider(&sha2_prov_info,
-	    &sha2_prov_handle)) != CRYPTO_SUCCESS)
-		cmn_err(CE_WARN, "sha2 _init: "
-		    "crypto_register_provider() failed (0x%x)", ret);
+	(void) crypto_register_provider(&sha2_prov_info, &sha2_prov_handle);
 
 	return (0);
 }
diff --git a/usr/src/uts/common/crypto/io/swrand.c b/usr/src/uts/common/crypto/io/swrand.c
index d38d03d310..4c5dd443dc 100644
--- a/usr/src/uts/common/crypto/io/swrand.c
+++ b/usr/src/uts/common/crypto/io/swrand.c
@@ -206,16 +206,6 @@ _init(void)
 	hrtime_t ts;
 	time_t now;
 
-	/*
-	 * Register with KCF. If the registration fails, return error.
-	 */
-	if ((ret = crypto_register_provider(&swrand_prov_info,
-	    &swrand_prov_handle)) != CRYPTO_SUCCESS) {
-		cmn_err(CE_WARN, "swrand : Kernel Random Number Provider "
-		    "disabled for /dev/random use");
-		return (EACCES);
-	}
-
 	mutex_init(&srndpool_lock, NULL, MUTEX_DEFAULT, NULL);
 	mutex_init(&buffer_lock, NULL, MUTEX_DEFAULT, NULL);
 	cv_init(&srndpool_read_cv, NULL, CV_DEFAULT, NULL);
@@ -243,21 +233,12 @@ _init(void)
 	ASSERT(ret == 0);
 
 	if (physmem_ent_init(&entsrc) != 0) {
-		mutex_destroy(&srndpool_lock);
-		mutex_destroy(&buffer_lock);
-		cv_destroy(&srndpool_read_cv);
-		(void) crypto_unregister_provider(swrand_prov_handle);
-		return (ENOMEM);
+		ret = ENOMEM;
+		goto exit1;
 	}
 
-	if ((ret = mod_install(&modlinkage)) != 0) {
-		mutex_destroy(&srndpool_lock);
-		mutex_destroy(&buffer_lock);
-		cv_destroy(&srndpool_read_cv);
-		physmem_ent_fini(&entsrc);
-		(void) crypto_unregister_provider(swrand_prov_handle);
-		return (ret);
-	}
+	if ((ret = mod_install(&modlinkage)) != 0)
+		goto exit2;
 
 	/* Schedule periodic mixing of the pool. */
 	mutex_enter(&srndpool_lock);
@@ -266,7 +247,22 @@ _init(void)
 	(void) swrand_get_entropy((uint8_t *)swrand_XKEY, HASHSIZE, B_TRUE);
 	bcopy(swrand_XKEY, previous_bytes, HASHSIZE);
 
+	/* Register with KCF. If the registration fails, return error. */
+	if (crypto_register_provider(&swrand_prov_info, &swrand_prov_handle)) {
+		(void) mod_remove(&modlinkage);
+		ret = EACCES;
+		goto exit2;
+	}
+
 	return (0);
+
+exit2:
+	physmem_ent_fini(&entsrc);
+exit1:
+	mutex_destroy(&srndpool_lock);
+	mutex_destroy(&buffer_lock);
+	cv_destroy(&srndpool_read_cv);
+	return (ret);
 }
 
 int
diff --git a/usr/src/uts/common/crypto/spi/kcf_spi.c b/usr/src/uts/common/crypto/spi/kcf_spi.c
index 2634ed3624..826b4ab838 100644
--- a/usr/src/uts/common/crypto/spi/kcf_spi.c
+++ b/usr/src/uts/common/crypto/spi/kcf_spi.c
@@ -19,7 +19,7 @@
  * CDDL HEADER END
  */
 /*
- * Copyright 2009 Sun Microsystems, Inc.  All rights reserved.
+ * Copyright 2010 Sun Microsystems, Inc.  All rights reserved.
  * Use is subject to license terms.
  */
 
@@ -70,6 +70,8 @@ static kcf_prov_stats_t kcf_stats_ks_data_template = {
 #define	KCF_SPI_COPY_OPS(src, dst, ops) if ((src)->ops != NULL) \
 	*((dst)->ops) = *((src)->ops);
 
+extern int sys_shutdown;
+
 /*
  * Copy an ops vector from src to dst. Used during provider registration
  * to copy the ops vector from the provider info structure to the
@@ -134,8 +136,10 @@ crypto_register_provider(crypto_provider_info_t *info,
 	kcf_provider_desc_t *prov_desc = NULL;
 	int ret = CRYPTO_ARGUMENTS_BAD;
 
-	if (info->pi_interface_version > CRYPTO_SPI_VERSION_4)
-		return (CRYPTO_VERSION_MISMATCH);
+	if (info->pi_interface_version > CRYPTO_SPI_VERSION_4) {
+		ret = CRYPTO_VERSION_MISMATCH;
+		goto errormsg;
+	}
 
 	/*
 	 * Check provider type, must be software, hardware, or logical.
@@ -143,7 +147,7 @@ crypto_register_provider(crypto_provider_info_t *info,
 	if (info->pi_provider_type != CRYPTO_HW_PROVIDER &&
 	    info->pi_provider_type != CRYPTO_SW_PROVIDER &&
 	    info->pi_provider_type != CRYPTO_LOGICAL_PROVIDER)
-		return (CRYPTO_ARGUMENTS_BAD);
+		goto errormsg;
 
 	/*
 	 * Allocate and initialize a new provider descriptor. We also
@@ -415,6 +419,49 @@ undo_then_bail:
 	ret = CRYPTO_FAILED;
 bail:
 	KCF_PROV_REFRELE(prov_desc);
+
+errormsg:
+	if (ret != CRYPTO_SUCCESS && sys_shutdown == 0) {
+		switch (ret) {
+		case CRYPTO_FAILED:
+			cmn_err(CE_WARN, "%s failed when registering with the "
+			    "Cryptographic Framework.",
+			    info->pi_provider_description);
+			break;
+
+		case CRYPTO_MODVERIFICATION_FAILED:
+			cmn_err(CE_WARN, "%s failed module verification when "
+			    "registering with the Cryptographic Framework.",
+			    info->pi_provider_description);
+			break;
+
+		case CRYPTO_ARGUMENTS_BAD:
+			cmn_err(CE_WARN, "%s provided bad arguments and was "
+			    "not registered with the Cryptographic Framework.",
+			    info->pi_provider_description);
+			break;
+
+		case CRYPTO_VERSION_MISMATCH:
+			cmn_err(CE_WARN, "%s was not registered with the "
+			    "Cryptographic Framework as there is a SPI version "
+			    "mismatch (%d) error.",
+			    info->pi_provider_description,
+			    info->pi_interface_version);
+			break;
+
+		case CRYPTO_FIPS140_ERROR:
+			cmn_err(CE_WARN, "%s was not registered with the "
+			    "Cryptographic Framework as there was a FIPS 140 "
+			    "validation error.", info->pi_provider_description);
+			break;
+
+		default:
+			cmn_err(CE_WARN, "%s did not register with the "
+			    "Cryptographic Framework. (0x%x)",
+			    info->pi_provider_description, ret);
+		};
+	}
+
 	return (ret);
 }
 
@@ -450,10 +497,14 @@ crypto_unregister_provider(crypto_kcf_provider_handle_t handle)
 	uint_t mech_idx;
 	kcf_provider_desc_t *desc;
 	kcf_prov_state_t saved_state;
+	int ret = CRYPTO_SUCCESS;
 
 	/* lookup provider descriptor */
-	if ((desc = kcf_prov_tab_lookup((crypto_provider_id_t)handle)) == NULL)
-		return (CRYPTO_UNKNOWN_PROVIDER);
+	if ((desc = kcf_prov_tab_lookup((crypto_provider_id_t)handle)) ==
+	    NULL) {
+		ret = CRYPTO_UNKNOWN_PROVIDER;
+		goto errormsg;
+	}
 
 	mutex_enter(&desc->pd_lock);
 	/*
@@ -464,7 +515,8 @@ crypto_unregister_provider(crypto_kcf_provider_handle_t handle)
 		mutex_exit(&desc->pd_lock);
 		/* Release reference held by kcf_prov_tab_lookup(). */
 		KCF_PROV_REFRELE(desc);
-		return (CRYPTO_BUSY);
+		ret = CRYPTO_BUSY;
+		goto errormsg;
 	}
 
 	saved_state = desc->pd_state;
@@ -498,7 +550,8 @@ crypto_unregister_provider(crypto_kcf_provider_handle_t handle)
 	    CRYPTO_SUCCESS) {
 		/* Release reference held by kcf_prov_tab_lookup(). */
 		KCF_PROV_REFRELE(desc);
-		return (CRYPTO_UNKNOWN_PROVIDER);
+		ret = CRYPTO_UNKNOWN_PROVIDER;
+		goto errormsg;
 	}
 
 	delete_kstat(desc);
@@ -560,7 +613,29 @@ crypto_unregister_provider(crypto_kcf_provider_handle_t handle)
 		mutex_exit(&prov_tab_mutex);
 	}
 
-	return (CRYPTO_SUCCESS);
+errormsg:
+	if (ret != CRYPTO_SUCCESS && sys_shutdown == 0) {
+		switch (ret) {
+		case CRYPTO_UNKNOWN_PROVIDER:
+			cmn_err(CE_WARN, "Unknown provider \"%s\" was "
+			    "requested to unregister from the cryptographic "
+			    "framework.", desc->pd_description);
+			break;
+
+		case CRYPTO_BUSY:
+			cmn_err(CE_WARN, "%s could not be unregistered from "
+			    "the Cryptographic Framework as it is busy.",
+			    desc->pd_description);
+			break;
+
+		default:
+			cmn_err(CE_WARN, "%s did not unregister with the "
+			    "Cryptographic Framework. (0x%x)",
+			    desc->pd_description, ret);
+		};
+	}
+
+	return (ret);
 }
 
 /*
diff --git a/usr/src/uts/common/des/des_crypt.c b/usr/src/uts/common/des/des_crypt.c
index 88a30f3847..0a2d2a81de 100644
--- a/usr/src/uts/common/des/des_crypt.c
+++ b/usr/src/uts/common/des/des_crypt.c
@@ -20,7 +20,7 @@
  *
  */
 /*
- * Copyright 2009 Sun Microsystems, Inc.  All rights reserved.
+ * Copyright 2010 Sun Microsystems, Inc.  All rights reserved.
  * Use is subject to license terms.
  */
 
@@ -269,15 +269,12 @@ _init(void)
 		return (ret);
 
 	/*
-	 * Register with KCF. If the registration fails, log an
+	 * Register with KCF. If the registration fails, kcf will log an
 	 * error but do not uninstall the module, since the functionality
 	 * provided by misc/des should still be available.
+	 *
 	 */
-	if ((ret = crypto_register_provider(&des_prov_info,
-	    &des_prov_handle)) != CRYPTO_SUCCESS) {
-		cmn_err(CE_WARN, "des _init: crypto_register_provider() "
-		    "failed (0x%x)", ret);
-	}
+	(void) crypto_register_provider(&des_prov_info, &des_prov_handle);
 
 	return (0);
 }