Public Key Certificates for Verified Boot
Verified boot uses public key certificates from the following sources:
-
/etc/certs/elfsign
directoryIf your image contains ELF objects that are signed by a third-party vendor, you must add the vendor's certificate to this directory.
-
Kernel Zones, as added by the
zoneadm
command -
UEFI Secure Boot (BIOS menu) for x86
-
Oracle ILOM for SPARC
Oracle ILOM for SPARC that supports verified boot provides a preinstalled verified boot certificate file,
/etc/certs/elfsign/ORCLS11SE
. The certificate contains the RSA public key that is used to verify theelfsign
signatures in ELF objects that Oracle Solaris signed. All certificates are loaded and managed on each individual PDomain. -
ILOM syntax varies according to hardware platform and firmware version. To configure certificates using Oracle ILOM, review Configuring SPARC Verified Boot Properties in Oracle® ILOM Administrator's Guide for Configuration and Maintenance Firmware Release 3.2.x.
You can also manually verify a kernel module's signature. Manual verification can be useful during diagnostics to confirm that the signature is present and correct.
Example 2-1 Manually Verifying a Kernel Module's Signature
Use the elfsign verify -v
kernel_module command syntax as follows:
$ elfsign verify -v /kernel/misc/sparcv9/bignum
elfsign: verification of /kernel/misc/sparcv9/bignum passed.
Elfsign signature format: rsa_sha256
Signer: O=Oracle Corporation, OU=Corporate Object Signing, OU=Solaris Signed Execution, CN=Solaris 11