Configuring SPARC Verified Boot Properties
On some of Oracle's SPARC systems, Verified Boot can be used to verify system boot blocks and Oracle Solaris kernel modules before they are loaded on the system. Use Oracle ILOM to enable Verified Boot and to specify how the system should respond when a verification check fails. Enabling Verified Boot can prevent harmful changes to the system boot blocks or Oracle Solaris kernel modules from taking effect. For further details about setting this policy in Oracle ILOM, see the property descriptions in Table 8-10.
To use the Verified Boot feature, Oracle Solaris 11.2 or later must be installed on the system.
Before you upload certificates to verify Oracle Solaris kernel modules, ensure that the following requirements are met:
- The certificates can be accessed through your network or local file system.
- The certificates are in PEM format, following the X.509 standard.
- The certificates are not encrypted with a passphrase.
Table 8-10 Verified Boot Properties
User Interface Configurable Target and User Role:
|
||
---|---|---|
Property | Default | Description |
Boot Policy ( |
none |
none |warning|enforce
CLI Syntax for Boot Policy: Single host server: set /Host/verified_boot boot_policy= none|warning|enforce Multi-domain host server: set /Servers/PDomains/PDomain_n/HOST/verified_boot boot_policy= none|warning|enforce Note. When Boot Policy for Verified Boot is set to Enforce and the Non-volatile RAM configuration variable for "use-nvramrc?" is set to True, the Solaris boot operation might fail on some SPARC platforms (such as SPARC T7 and M7 series server). For further details, see the 3.2.5 Known Issues section in the Oracle ILOM Feature Updates and Release Notes. |
System Certificates ( |
View the |
|
User Certificates ( |
Load up to five custom certificate files to verify Solaris kernel modules other than
CLI Syntax to Load Custom Certificate at Boot: Single host server: set /Host/verified_boot/user_certs/n load_uri=protocol://certificate_URI Multi-domain host server: set /Servers/PDomains/PDomain_n/Host/verified_boot/user_certs/n load_uri=protocol://certificate_URI Where n is the ID you want to associate with the certificate file and protocol is any of the transfer protocols supported by Oracle ILOM. For a list of supported protocols, see Supported File Transfer Methods CLI Syntax to Remove Verified Boot Custom Certificate: Single host server: reset /Host/Verified_boot/user_certs/n Multi domain host server: reset /Servers/PDomains/PDomain_n/Host/verified_boot/user_certs/n Where n is the ID of the certificate file you want to remove. |