Configuring
SPARC Verified Boot Properties
On some of Oracle's SPARC systems, Verified Boot can be used to verify system boot blocks and
Oracle Solaris kernel modules before they are loaded on the system. Use Oracle ILOM to enable
Verified Boot and to specify how the system should respond when a verification check fails. Enabling
Verified Boot can prevent harmful changes to the system boot blocks or Oracle Solaris kernel modules
from taking effect. For further details about setting this policy in Oracle ILOM, see the property
descriptions in Figure 72, Table 72, Verified Boot Properties.
To use the Verified Boot feature, Oracle Solaris 11.2 or later
must be installed on the system.
Before you upload certificates to verify Oracle Solaris kernel modules, ensure that the
following requirements are met:
The certificates can
be accessed through your network or local file system.
The certificates are in PEM format, following the
X.509 standard.
The certificates are not encrypted
with a passphrase.
Table 72 Verified Boot Properties
|
|
|
|
Boot Policy
(boot_policy )
|
none
|
none |warning|enforce
-
none – The system does not run verification checks on boot blocks, unix, or
geunix.
-
warning – When a verification check fails, a warning message is logged on the host
console, and the boot process continues.
-
When a verification check fails, an error message is logged on the host console, and the boot
process is aborted.
CLI Syntax for Boot Policy:
Single host server:
set /Host/verified_boot
boot_policy=none|warning|enforce
Multi-domain host server:
set /Servers/PDomains/PDomain_n/HOST/verified_boot
boot_policy=none|warning|enforce
Note -
When Boot Policy for Verified Boot is set to Enforce and the
Non-volatile RAM configuration variable for "use-nvramrc?" is
set to True, the Solaris boot operation might fail on some SPARC
platforms (such as SPARC T7 and M7 series server). For further
details, see the 3.2.5 Known Issues section in the
Oracle ILOM Feature Updates and Release
Notes.
|
System Certificates
(/system_certs/1)
|
|
View the system_certs/1 target for details about pre-installed certificate
files, such as the issuer and subject of the file.
|
User Certificates
(/user_certs/n)
|
|
Load up to five custom certificate files to verify Solaris kernel modules other than
unix and geunix. View the user_certs/n
target for details about user-loaded certificate files, such as the issuer and subject of the
files.
CLI Syntax to Load Custom Certificate at Boot:
Single host server:
set /Host/verified_boot/user_certs/n
load_uri=protocol://certificate_URI
Multi-domain host server:
set
/Servers/PDomains/PDomain_n/Host/verified_boot/user_certs/n
load_uri=protocol://certificate_URI
Where n is the ID you want to associate with the certificate file and
protocol is any of the transfer protocols supported by Oracle ILOM. For a list of supported
protocols, see Supported File Transfer Methods
CLI Syntax to Remove Verified Boot Custom
Certificate:
Single host server:
reset
/Host/Verified_boot/user_certs/n
Multi domain host server:
reset
/Servers/PDomains/PDomain_n/Host/verified_boot/user_certs/n Where n is the ID of the certificate file you want to
remove.
|
|