Verification Sequence During System Boot
Verified boot automates the verification of the elfsign
signatures of Oracle Solaris kernel modules. With verified boot, the administrator can create a verifiable chain of trust in the boot process beginning from system reset through the completion of the boot process.
During a system boot, each block of code that is started in the boot process verifies the next block that needs to be loaded. The sequence of verification and loading continues until the last kernel module is loaded.
When a power cycle is subsequently performed on the system, a new sequence of verification begins. The administrator can also configure verified boot to take the appropriate action in the event of verification failure.
The following illustrates the boot flow of Oracle Solaris on a SPARC system:
Firmware -> Bootblock -> /platform/.../unix -> genunix -> other kernel modules
The firmware verifies and then loads the Oracle Solaris /platform/.../unix
module, the initial Oracle Solaris module. In turn, the Oracle Solaris kernel runtime loader krtld
, which is part of the unix
module, verifies and loads the generic UNIX (genunix
) module and subsequent modules.