Using Verified Boot

Malicious programs can pass information to third parties as well as alter the behavior of Oracle Solaris. Although third-party modules are typically non-malicious, they might violate policies that control site changes. Therefore, the system also needs protection from unauthorized installation of these modules.

Verified boot in Oracle Solaris secures a system's boot process. You must enable this feature, which protects the system from threats such as the following:

• Corruption of kernel modules

• Insertion or substitution of malicious programs that masquerade as legitimate kernel modules, such as Trojan viruses, spyware, and rootkits

• Installation of unauthorized third-party kernel modules

A firmware upgrade may be required to use verified boot. For information, see SPARC: Firmware Upgrade for Verified Boot.

You can enable verified boot in the following configurations and using the following tools:

• Oracle Solaris SPARC systems – Refer to Policy for Verified Boot.

• UEFI Secure Boot (BIOS menu) for x86 – Refer to your platform's instructions about Secure Boot configuration.

• Oracle Solaris Kernel Zones – Refer to Using Verified Boot to Secure an Oracle Solaris Kernel Zone in Creating and Using Oracle Solaris Kernel Zones.

• Logical Domains (LDOM) – Refer to Using Verified Boot in Oracle VM Server for SPARC 3.6 Administration Guide.

• Oracle Integrated Lights Out Manager (ILOM) – Refer to Configuring SPARC Verified Boot Properties in Oracle ILOM Administrator's Guide for Configuration and Maintenance Firmware Release 3.2.x.