Go to main content

Creating and Using Oracle® Solaris Kernel Zones

Exit Print View

Updated: December 2018

Using Verified Boot to Secure an Oracle Solaris Kernel Zone

You can use verified boot to secure a kernel zone's boot process. Verified boot protects a kernel zone from corrupted kernel zone modules, malicious programs, and installation of unauthorized third-party kernel modules by securely loading Oracle Solaris kernel modules before execution.

Verified boot enables you to perform the following actions:

  • Automate the elfsign(1) verification of Oracle Solaris kernel modules. By default, you use only the Oracle Solaris system certificate for verification. With verified boot, you can specify additional certificates enabling you to load third-party kernel modules or modules signed for another version of Oracle Solaris.

  • Create a verifiable chain of trust in the boot process beginning from kernel zone reboot up to the completion of the boot process.

Use the verified-boot zonecfg resource property to enable and to configure verified boot on a kernel zone.

Verified boot and the verified-boot resource property are supported only on solaris-kz brand zones.

For additional information about certificate verification and verified boot on Oracle Solaris 11.3, see the elfsign(1) man page and Using Verified Boot in Securing Systems and Attached Devices in Oracle Solaris 11.3.

About the verified-boot Resource Property and elfsign Verification

The verified-boot resource property controls a kernel zone's boot policy and certificate settings. The properties of this resource are:

  • policy

    The policy property regulates the verification of the unix, genunix and other kernel modules. The possible values for this property are as follows:


    Prints a warning message if elfsign verification fails. This is the default value.


    No action occurs if elfsign signature verification fails.

    Note -  The verified-boot resource property is not enabled if the policy value is set to none.

    Prints a warning message if elfsign signature verification fails. The kernel module does not load.

  • cert

    The cert property specifies the location of the elfsign(1) X.509 public key certificate on the system. You specify the certificate location with a URI of the X.509 cert file. For a local file, the certificate must be located in the global zone's file system. For remote URIs, the URI must be accessible from the global zone.

    Use the add subcommand to add a certificate. You can add up to seven certificates on each kernel zone.

Example 17  Enabling Verified Boot in a Kernel Zone

This example creates the kernel zone kz1 on the system global. The verified-boot policy value is set to enforce. This directs the kernel to not boot if boot file signature verification fails and to print an error message on failure.

global$ zonecfg -z kz1
kz1: No such zone configured
Use 'create' to begin configuring a new zone.
zonecfg:kz1> create -t SYSsolaris-kz
zonecfg:kz1> set zonepath=/rpool/zones/kz1
zonecfg:kz1> set autoboot=true
zonecfg:kz1> add verified-boot
zonecfg:kz1:verified-boot> set policy=enforce
zonecfg:kz1:verified-boot> end
zonecfg:kz1> verify
zonecfg:kz1> commit
zonecfg:kz1> exit
Example 18  Configuring Kernel Zone Verified Boot With Multiple Certificates

This example demonstrates adding the verified-boot zonecfg resource to an already-configured kernel zone kz2 on the system global. Two certificates are added to the configuration.

global$ zonecfg -z kz2
zonecfg:kz2> add verified-boot
zonecfg:kz2:verified-boot> set policy=warning
zonecfg:kz2:verified-boot> add cert file:///etc/certs/SOLARIS-KZ
zonecfg:kz2:verified-boot> add cert http://example/keydist/cert.pem
zonecfg:kz2:verified-boot> info
   policy: warning
    cert: file:///etc/certs/SOLARIS-KZ
    cert: http://example/keydist/cert.pem
zonecfg:kz2:verified-boot> end
zonecfg:kz2> verify
zonecfg:kz2> commit