Go to main content

Creating and Using Oracle® Solaris Kernel Zones

Exit Print View

Updated: August 2021
 
 

Using Verified Boot to Secure an Oracle Solaris Kernel Zone

You can use verified boot to secure a kernel zone's boot process. Verified boot protects a kernel zone from corrupted kernel zone modules, malicious programs, and installation of unauthorized third-party kernel modules by securely loading Oracle Solaris kernel modules before execution.

    Verified boot enables you to perform the following actions:

  • Automate the elfsign(1) verification of Oracle Solaris kernel modules. By default, you use only the Oracle Solaris system certificate for verification. With verified boot, you can specify additional certificates enabling you to load third-party kernel modules or modules signed for another version of Oracle Solaris.

  • Create a verifiable chain of trust in the boot process beginning from kernel zone reboot up to the completion of the boot process.

Use the verified-boot resource type to enable and to configure verified boot on a kernel zone. Verified boot and the verified-boot resource type are supported only for solaris-kz brand zones. For examples and information about properties, see verified-boot Resource Type in Oracle Solaris Zones Configuration Resources.

For additional information about certificate verification and verified boot, see the elfsign(1) man page and Using Verified Boot in Securing Systems and Attached Devices in Oracle Solaris 11.4.