14.8.4 Verified Boot Policies
14.8.4 Verified Boot Policies
Table 14-18 lists the two policies that control verified boot.
OS Version | Policy | Description |
Oracle Solaris 11.2 | Boot policy (boot_policy) |
Sets boot verification for the boot block, unix, and genunix. These modules are loaded first during a boot process. |
Module policy (module_policy) |
Sets boot verification for kernel modules that need to be loaded after genunix. | |
Oracle Solaris 11.3 or later | Boot policy (boot_policy) |
Sets boot verification for the boot block and unix. These modules are loaded first during a boot process. |
Module policy (module_policy) |
Sets boot verification for genunix and kernel modules. |
Use the setvbootconfig command of the XSCF firmware to set each policy.
Users can set the behavior of the boot process at the time of boot verification failure by setting the policies.
Table 14-19 lists values that can be set as each of the boot and module policies. The set value determines the verification operation.
Users can set the behavior of the boot process at the time of boot verification failure by setting the policies.
Table 14-19 lists values that can be set as each of the boot and module policies. The set value determines the verification operation.
Policy Setting Value | Operation |
---|---|
none | Boot verification is not performed. (Default) |
warning | Boot verification is performed. Verification is performed before the target of the verification is loaded. Even if the verification fails, the target of the verification is loaded and boot processing continues. If verification of the boot block and unix fails, the failure of the verification is recorded on the system console. It is not recorded in the system log and XSCF error log. If verification of genunix and other kernel modules fails, the failure of the verification is recorded on the system console and in the system log. It is not recorded in the XSCF error log. |
enforce | Boot verification is performed. Verification is performed before the target of the verification is loaded. If verification of the boot block and unix fails, boot processing stops. At this time, the failure of the verification is recorded on the system console and the XSCF error log. It is not recorded in the system log. If verification of genunix fails, boot processing stops. At this time, the failure of the verification is recorded on the system console. It is not recorded in the XSCF error log and the system log. If verification of other kernel modules fails, the boot continues without loading the module. At this time, the failure of the verification is recorded on the system console and in the system log. It is not recorded in the XSCF error log. |
Note - In Oracle Solaris 11.2 SRU11.2.8.4.0 or later, if the policy setting value is enforce, the operation after verification of genunix fails is different. If the OpenBoot PROM environment variable auto-boot? is true, a panic occurs repeatedly. If this phenomenon persists, execute the sendbreak command for the control domain, the ldm stop command for a guest domain, or the zoneadm halt command for a kernel zone to stop it. |
Table 14-20 shows an example of the messages output when boot verification fails.
Policy Setting Value | Message |
---|---|
none | Boot verification is not performed. |
warning | The following warning message appears, but the start of Oracle Solaris continues. - System console message in the case of genunix WARNING: module /platform/sun4v/kernel/sparcv9/genunix failed elfsign verification. - System console or system log message in the case of other kernel modules WARNING: module /kernel/drv/sparcv9/module failed elfsign verification. |
enforce | - In the case of the boot block The following error message appears, and the boot stops at the ok prompt. - System console message FATAL: Bootblk signature verification failed, verified boot policy = enforce, halting boot - XSCF error log boot process failed - System console or system log message in the case of other kernel modules The following error message appears, but the start of Oracle Solaris continues. Module /kernel/drv/sparcv9/module failed elfsign verification; "module-policy enforce" requested. |
< Previous Page | Next Page >