Oracle^® SuperCluster M8 and SuperCluster M7 Security Guide

Enable Secure Verified Boot (Oracle ILOM CLI)

Use this task to enable secure verified boot through the Oracle ILOM CLI. Alternatively, you can use the Oracle ILOM web interface. See Secure Verified Boot (Oracle ILOM Web Interface).

Verified boot refers to verification of object modules before execution using digital signatures. Oracle Solaris protects against the loading of rogue kernel modules. Verified boot increases the security and robustness of Oracle Solaris by verifying kernel modules before execution.

If enabled, Oracle Solaris verified boot checks the factory-signed signature in a kernel module before loading and executing the module. This check detects accidental or malicious modification of a module. The action taken is configurable and, when enabled, will either print a warning message and continue loading and executing the module, or will fail and not load and execute the module.

1. Access Oracle ILOM on the compute server.

   See Log into a Compute Server.

2. Enable verified boot.

   -> set /HOST/verified_boot/ module_policy=enforce
   Set 'module_policy' to 'enforce'
   

3. Access and display the Oracle provided certificate.

   A preinstalled verified boot certificate file, /etc/certs/ORCLS11SE, is provided as part of Oracle ILOM.

   # more /etc/certs/ORCLS11SE
   -----BEGIN CERTIFICATE-----
   MIIFEzCCA/ugAwIBAgIQDfuxWi0q5YGAhus0XqR+7TANBgkqhkiG9w0BAQUFADCB
   ….
   CXZousDBt9DdhjX6d0ZPLkdzBxqm8Bxg9H3iKtZBPuhZBl9iXvLEOzY8sS0AW7UF
   UHGOvZ9U6m4Tq5+KDiJ8QXZG2ipTeat5XdzLmzA9w2jrrfx0N+NcgvIVjdPXD8C4
   wgaJllToqg==
   -----END CERTIFICATE-----
   

4. Initiate the loading of the certificate.

   -> set /HOST/verified_boot/user_certs/1 load_uri=console
   

5. Copy the contents of the /etc/certs/ORCLS11SE file and paste into the Oracle ILOM console.

   Enter Ctrl-z to save and process information.

   Enter Ctrl-c to exit and discard changes.

   -----BEGIN CERTIFICATE-----
   MIIFEzCCA/ugAwIBAgIQDfuxWi0q5YGAhus0XqR+7TANBgkqhkiG9w0BAQUFADCB
   ….
   CXZousDBt9DdhjX6d0ZPLkdzBxqm8Bxg9H3iKtZBPuhZBl9iXvLEOzY8sS0AW7UF
   UHGOvZ9U6m4Tq5+KDiJ8QXZG2ipTeat5XdzLmzA9w2jrrfx0N+NcgvIVjdPXD8C4
   wgaJllToqg==
   -----END CERTIFICATE-----^Z
   Load successful.
   

6. Verify the certificate.

   -> show /HOST/verified_boot/user_certs/1/
   /HOST/verified_boot/user_certs/1
   Targets:
   Properties:
   clear_action = (Cannot show property)
   issuer = /C=US/O=Oracle Corporation/OU=VeriSign Trust Network/OU=Class 2 Managed PKI Individual
   Subscriber CA/CN=Object Signing CA
   load_uri = (Cannot show property)
   subject = /O=Oracle Corporation/OU=Corporate Object Signing/OU=Solaris Signed Execution/CN=Solaris 11
   valid_from = Mar 1 00:00:00 2012 GMT
   valid_until = Mar 1 23:59:59 2015 GMT
   Commands:
   cd
   load
   reset
   show
   ->
   

7. Verify that the OpenBoot use-nvram parameter is set to false.

   When you use verified boot, the OpenBoot use-nvram parameter must be set to false. This prevents OpenBoot from being modified to disable verified boot functionality. The default value is false. Log into Oracle Solaris and type:

   $ /usr/sbin/eeprom/eeprom use-nvramrc?
   
   use-nvramrc?=false