Verified boot automates the verification of the elfsign signatures of Oracle Solaris kernel modules. With verified boot, the administrator can create a verifiable chain of trust in the boot process beginning from system reset up to the completion of the boot process.
During a system boot, each block of code that is started in the boot process verifies the next block that needs to be loaded. The sequence of verification and loading continues until the last kernel module is loaded.
When a power cycle is subsequently performed on the system, a new sequence of verification begins. The administrator can also configure verified boot to take the appropriate action in the event of verification failure.
Consider the boot flow of Oracle Solaris on a SPARC system:
Firmware -> Bootblock -> /platform/.../unix -> genunix -> other kernel modules
SPARC firmware is installed at the factory. The firmware's digital signature can also be updated by using the fwupdate utility. The firmware verifies, and then loads, the Oracle Solaris /platform/.../unix module, which is the initial Oracle Solaris module. In turn, the Oracle Solaris kernel runtime loader krtld, which is part of the module, verifies and loads the generic UNIX (genunix) module and subsequent modules.