Using Verified Boot
Malicious programs can pass information to third parties as well as alter the behavior of Oracle Solaris. Although third-party modules are typically non-malicious, they might violate policies that control site changes. Therefore, the system also needs protection from unauthorized installation of these modules.
Verified boot in Oracle Solaris secures a system's boot process. You must enable this feature, which protects the system from threats such as the following:
-
Corruption of kernel modules
-
Insertion or substitution of malicious programs that masquerade as legitimate kernel modules, such as Trojan viruses, spyware, and rootkits
-
Installation of unauthorized third-party kernel modules
A firmware upgrade may be required to use verified boot. For information, see SPARC: Firmware Upgrade for Verified Boot.
You can enable verified boot in the following configurations and using the following tools:
-
Oracle Solaris SPARC systems – Refer to Policy for Verified Boot.
-
UEFI Secure Boot (BIOS menu) for x86 – Refer to your platform's instructions about Secure Boot configuration.
-
Oracle Solaris Kernel Zones – Refer to Using Verified Boot to Secure an Oracle Solaris Kernel Zone in Creating and Using Oracle Solaris Kernel Zones.
-
Logical Domains (LDOM) – Refer to Using Verified Boot in Oracle VM Server for SPARC 3.6 Administration Guide.
-
Oracle Integrated Lights Out Manager (ILOM) – Refer to Configuring SPARC Verified Boot Properties in Oracle ILOM Administrator's Guide for Configuration and Maintenance Firmware Release 3.2.x.