Two policies manage verified boot:
The boot policy regulates the verification of the UNIX and genunix modules. These modules are the first to be loaded during the boot process.
The module policy regulates the verification of other kernel modules that need to be loaded after the genunix module.
On legacy SPARC systems and x86 systems, the policies are defined in the boot_policy and module_policy variables of the /etc/system file. On SPARC systems with Oracle ILOM verified-boot support, boot_policy and module_policy are properties of Oracle ILOM in /HOSTx/verified_boot, where x is the physical domain (PDomain) number.
Both variables or properties can be configured with one of the following values:
none - No boot verification is performed. By default, both boot_policy and module_policy are not configured and therefore verified boot is disabled.
warning - The elfsign signature of each kernel module is verified before the module is loaded. If verification fails on a module, the module is still loaded. The discrepancies are recorded on the system console or, if available, in the system log. By default, the log is /var/adm/messages.
enforce - The elfsign signature of each kernel module is verified before the module is loaded. If verification fails on a module, the module is not loaded. The discrepancies are recorded on the system console or, if available, in the system log. By default, the log is /var/adm/messages.
In addition to configuring the policies, you also specify elfsign X.509 public key certificates on the system. Similar to the modules, you specify the certificates by either using a variable or defining an Oracle ILOM property.
On systems with Oracle ILOM that supports verified boot, a preinstalled verified boot certificate file, /etc/certs/ORCLS11SE, is provided as part of Oracle ILOM. On legacy SPARC systems and x86 systems, the certificate is available as the Oracle Solaris file /etc/certs/ORCLS11SE.
The certificate contains the RSA public key that is used to verify the elfsign signatures in ELF objects. However, you can install a company-provided certificate to replace /etc/certs/ORCLS11SE. All certificates are loaded and managed on each individual PDomain.