Configuring SPARC Verified Boot Properties

Language:

On some of Oracle's SPARC systems, Verified Boot can be used to verify system boot blocks and Oracle Solaris kernel modules before they are loaded on the system. Use Oracle ILOM to enable Verified Boot and to specify how the system should respond when a verification check fails. Enabling Verified Boot can prevent harmful changes to the system boot blocks or Oracle Solaris kernel modules from taking effect. For further details about setting this policy in Oracle ILOM, see the property descriptions in Figure 73, Table 73, Verified Boot Properties.

To use the Verified Boot feature, Oracle Solaris 11.2 or later must be installed on the system.

Before you upload certificates to verify Oracle Solaris kernel modules, ensure that the following requirements are met:

The certificates can be accessed through your network or local file system.
The certificates are in PEM format, following the X.509 standard.
The certificates are not encrypted with a passphrase.

Table 73 Verified Boot Properties

User Interface Configurable Target and User Role: SP CLI: `/Host/verified_boot` (or, `/Servers/PDomains/PDomain_n/Host/verified boot)` Web: Host Management > Verified Boot User Role: Reset and Host Control (r) role
Property	Default	Description
Boot Policy (`boot_policy` )	none	`none \|warning\|enforce` none – The system does not run verification checks on boot blocks, unix, or geunix. warning – When a verification check fails, a warning message is logged on the host console, and the boot process continues. When a verification check fails, an error message is logged on the host console, and the boot process is aborted. CLI Syntax for Boot Policy: Single host server: `set /Host/verified_boot boot_policy=``none\|warning\|enforce` Multi-domain host server: `set /Servers/PDomains/PDomain_n/HOST/verified_boot boot_policy=``none\|warning\|enforce` Note - When Boot Policy for Verified Boot is set to Enforce and the Non-volatile RAM configuration variable for "use-nvramrc?" is set to True, the Solaris boot operation might fail on some SPARC platforms (such as SPARC T7 and M7 series server). For further details, see the 3.2.5 Known Issues section in the Oracle ILOM Feature Updates and Release Notes.
System Certificates (`/system_certs/1`)		View the `system_certs/1` target for details about pre-installed certificate files, such as the issuer and subject of the file.
User Certificates (`/user_certs/n`)		Load up to five custom certificate files to verify Solaris kernel modules other than `unix` and `geunix`. View the `user_certs/n` target for details about user-loaded certificate files, such as the issuer and subject of the files. CLI Syntax to Load Custom Certificate at Boot: Single host server: `set /Host/verified_boot/user_certs/n load_uri=protocol://certificate_URI` Multi-domain host server: `set /Servers/PDomains/PDomain_n/Host/verified_boot/user_certs/n load_uri=protocol://certificate_URI` Where `n` is the ID you want to associate with the certificate file and protocol is any of the transfer protocols supported by Oracle ILOM. For a list of supported protocols, see Supported File Transfer Methods CLI Syntax to Remove Verified Boot Custom Certificate: Single host server: `reset /Host/Verified_boot/user_certs/n` Multi domain host server: `reset /Servers/PDomains/PDomain_n/Host/verified_boot/user_certs/n` Where `n` is the ID of the certificate file you want to remove.