You can use verified boot to secure a kernel zone's boot process. Verified boot protects a kernel zone from corrupted kernel zone modules, malicious programs, and installation of unauthorized third-party kernel modules by securely loading Oracle Solaris kernel modules before execution.
Verified boot enables you to perform the following actions:
Automate the elfsign(1) verification of Oracle Solaris kernel modules. By default, you use only the Oracle Solaris system certificate for verification. With verified boot, you can specify additional certificates enabling you to load third-party kernel modules or modules signed for another version of Oracle Solaris.
Create a verifiable chain of trust in the boot process beginning from kernel zone reboot up to the completion of the boot process.
Use the verified-boot zonecfg resource property to enable and to configure verified boot on a kernel zone.
Verified boot and the verified-boot resource property are supported only on solaris-kz brand zones.
For additional information about certificate verification and verified boot on Oracle Solaris 11.3, see the elfsign(1) man page and Using Verified Boot in Securing Systems and Attached Devices in Oracle Solaris 11.3.
The verified-boot resource property controls a kernel zone's boot policy and certificate settings. The properties of this resource are:
policy
The policy property regulates the verification of the unix, genunix and other kernel modules. The possible values for this property are as follows:
Prints a warning message if elfsign verification fails. This is the default value.
No action occurs if elfsign signature verification fails.
Prints a warning message if elfsign signature verification fails. The kernel module does not load.
cert
The cert property specifies the location of the elfsign(1) X.509 public key certificate on the system. You specify the certificate location with a URI of the X.509 cert file. For a local file, the certificate must be located in the global zone's file system. For remote URIs, the URI must be accessible from the global zone.
Use the add subcommand to add a certificate. You can add up to seven certificates on each kernel zone.
This example creates the kernel zone kz1 on the system global. The verified-boot policy value is set to enforce. This directs the kernel to not boot if boot file signature verification fails and to print an error message on failure.
global$ zonecfg -z kz1 kz1: No such zone configured Use 'create' to begin configuring a new zone. zonecfg:kz1> create -t SYSsolaris-kz zonecfg:kz1> set zonepath=/rpool/zones/kz1 zonecfg:kz1> set autoboot=true zonecfg:kz1> add verified-boot zonecfg:kz1:verified-boot> set policy=enforce zonecfg:kz1:verified-boot> end zonecfg:kz1> verify zonecfg:kz1> commit zonecfg:kz1> exitExample 18 Configuring Kernel Zone Verified Boot With Multiple Certificates
This example demonstrates adding the verified-boot zonecfg resource to an already-configured kernel zone kz2 on the system global. Two certificates are added to the configuration.
global$ zonecfg -z kz2 zonecfg:kz2> add verified-boot zonecfg:kz2:verified-boot> set policy=warning zonecfg:kz2:verified-boot> add cert file:///etc/certs/SOLARIS-KZ zonecfg:kz2:verified-boot> add cert http://example/keydist/cert.pem zonecfg:kz2:verified-boot> info verified-boot: policy: warning cert: file:///etc/certs/SOLARIS-KZ cert: http://example/keydist/cert.pem zonecfg:kz2:verified-boot> end zonecfg:kz2> verify zonecfg:kz2> commit