Use this task to enable secure verified boot through the Oracle ILOM CLI. Alternatively, you can use the Oracle ILOM web interface. See Secure Verified Boot (Oracle ILOM Web Interface).
Verified boot refers to verification of object modules before execution using digital signatures. Oracle Solaris protects against the loading of rogue kernel modules. Verified boot increases the security and robustness of Oracle Solaris by verifying kernel modules before execution.
If enabled, Oracle Solaris verified boot checks the factory-signed signature in a kernel module before loading and executing the module. This check detects accidental or malicious modification of a module. The action taken is configurable and, when enabled, will either print a warning message and continue loading and executing the module, or will fail and not load and execute the module.
-> set /HOST/verified_boot/ module_policy=enforce Set 'module_policy' to 'enforce'
A preinstalled verified boot certificate file, /etc/certs/ORCLS11SE, is provided as part of Oracle ILOM.
# more /etc/certs/ORCLS11SE -----BEGIN CERTIFICATE----- MIIFEzCCA/ugAwIBAgIQDfuxWi0q5YGAhus0XqR+7TANBgkqhkiG9w0BAQUFADCB …. CXZousDBt9DdhjX6d0ZPLkdzBxqm8Bxg9H3iKtZBPuhZBl9iXvLEOzY8sS0AW7UF UHGOvZ9U6m4Tq5+KDiJ8QXZG2ipTeat5XdzLmzA9w2jrrfx0N+NcgvIVjdPXD8C4 wgaJllToqg== -----END CERTIFICATE-----
-> set /HOST/verified_boot/user_certs/1 load_uri=console
Enter Ctrl-z to save and process information.
Enter Ctrl-c to exit and discard changes.
-----BEGIN CERTIFICATE----- MIIFEzCCA/ugAwIBAgIQDfuxWi0q5YGAhus0XqR+7TANBgkqhkiG9w0BAQUFADCB …. CXZousDBt9DdhjX6d0ZPLkdzBxqm8Bxg9H3iKtZBPuhZBl9iXvLEOzY8sS0AW7UF UHGOvZ9U6m4Tq5+KDiJ8QXZG2ipTeat5XdzLmzA9w2jrrfx0N+NcgvIVjdPXD8C4 wgaJllToqg== -----END CERTIFICATE-----^Z Load successful.
-> show /HOST/verified_boot/user_certs/1/ /HOST/verified_boot/user_certs/1 Targets: Properties: clear_action = (Cannot show property) issuer = /C=US/O=Oracle Corporation/OU=VeriSign Trust Network/OU=Class 2 Managed PKI Individual Subscriber CA/CN=Object Signing CA load_uri = (Cannot show property) subject = /O=Oracle Corporation/OU=Corporate Object Signing/OU=Solaris Signed Execution/CN=Solaris 11 valid_from = Mar 1 00:00:00 2012 GMT valid_until = Mar 1 23:59:59 2015 GMT Commands: cd load reset show ->
When you use verified boot, the OpenBoot use-nvram parameter must be set to false. This prevents OpenBoot from being modified to disable verified boot functionality. The default value is false. Log into Oracle Solaris and type:
$ /usr/sbin/eeprom/eeprom use-nvramrc? use-nvramrc?=false