Use this procedure if your system does not have the means to store boot verification configuration outside of the system's local filesystem.
When you enable boot verification on this type of system, note the following security considerations:
Configuration information is stored in the local file system and is therefore accessible.
Any privileged user can modify the configuration.
Policy settings can be changed, and boot verification itself can be disabled.
Extra keys can be added that might allow any arbitrary elfsign signer to sign object modules.
For example, in /etc/system, you might type the following (shown in bold):
* Verified Boot settings: 1=none (default), 2=warning, 3=enforce set boot_policy=2 set module_policy=2
Specify the number that corresponds to the configuration that you want for each variable. The variables can have differing configurations. For an explanation of these policy configurations, see Policies for Verified Boot.
If the boot policy is configured with enforce and discrepancies in the UNIX or genunix modules are detected, the system does not boot. Instead, the system reverts to OpenBoot PROM (OBP).
set verified_boot_certs="/etc/certs/THIRDPARTYSE"
where THIRDPARTY is the name of the certificate file provided by the user.
# bootadm update-archive
For SPARC systems:
# mount -r -F hsfs /platform/sun4v/boot_archive /mnt
For x86 systems:
# mount -r -F hsfs /platform/x86-type/boot_archive /mnt
where x86-type is either i86pc or amd64.
# gzcat /mnt/etc/system | egrep ‘verified|policy‘ # ls -l /etc/certs