Skip to main content

14.8.3 X.509 Public Key Certificates for Verified Boot

14.8.3 X.509 Public Key Certificates for Verified Boot
Table 14-16 shows the two types of X.509 public key certificates used for verified boot.
Table 14-16  X.509 Public Key Certificates Used for Verified Boot
Certificate Type Description
System default certificate
(System default)
System default certificate that the XSCF has
The XSCF has the same certificate as the public key certificate (/etc/certs/*SE) contained in Oracle Solaris.
The XSCF has 1 or 2 system default certificates, which are replaced with the latest public key certificates at the time of firmware update.
Therefore, system default certificates are not subject to save/restore from the system. In addition, they are not certificates that users can manipulate.
User's certificate Certificate registered by a user
A certificate issued by a third party is registered as a user's certificate with XSCF.
Up to 5 user's certificates can be registered with the XSCF for each physical partition. When enabled, a registered certificate can be used for boot verification.
User's certificates are subject to save/restore on the system. However, saved certificates cannot be restored in other SPARC M12/M10.
Boot verification is performed by using the system default certificate(s) and enabled user's certificates.