Public Key Certificates for Verified Boot

Verified boot uses public key certificates from the following sources:

• /etc/certs/elfsign directory

  If your image contains ELF objects that are signed by a third-party vendor, you must add the vendor's certificate to this directory.

• Kernel Zones, as added by the zoneadm command

• UEFI Secure Boot (BIOS menu) for x86

• Oracle ILOM for SPARC

  Oracle ILOM for SPARC that supports verified boot provides a preinstalled verified boot certificate file, /etc/certs/elfsign/ORCLS11SE. The certificate contains the RSA public key that is used to verify the elfsign signatures in ELF objects that Oracle Solaris signed. All certificates are loaded and managed on each individual PDomain.

• ILOM syntax varies according to hardware platform and firmware version. To configure certificates using Oracle ILOM, review Configuring SPARC Verified Boot Properties in Oracle® ILOM Administrator's Guide for Configuration and Maintenance Firmware Release 3.2.x.

You can also manually verify a kernel module's signature. Manual verification can be useful during diagnostics to confirm that the signature is present and correct.

Example 2-1 Manually Verifying a Kernel Module's Signature

Use the elfsign verify -v kernel_module command syntax as follows:

$ elfsign verify -v /kernel/misc/sparcv9/bignum
elfsign: verification of /kernel/misc/sparcv9/bignum passed.
Elfsign signature format: rsa_sha256
Signer: O=Oracle Corporation, OU=Corporate Object Signing, OU=Solaris Signed Execution, CN=Solaris 11