How to configure verified boot for Solaris kernel zones
Dan from the Verified Boot team has compehensive post of what the team has delivered in Oracle Solaris 11.3 in Kernel Zones Verified Boot, a project which we delivered the initial phase for in Solaris 11.2.
Dan reviews the policy settings we’ve created for Verified Boot:
The policy to use on failures is configurable with three policy settings: none, warning, and enforce:
- none: disables Verified Boot—that is do no verification before loading a kernel module
- warning: logs verification failures to the console and system log. The module is loaded and executed, however. This is the default setting
- enforce: logs and does not load the module (the module fails to load)
He also shares the steps to configure Verified Boot in a Kernel Zone:
zman # zonecfg -z zman-kz8 Use 'create' to begin configuring a new zone. zonecfg:zman-kz8> create -t SYSsolaris-kz zonecfg:zman-kz8> set autoboot=true zonecfg:zman-kz8> add verified-boot zonecfg:zman-kz8:verified-boot> set policy=enforce zonecfg:zman-kz8:verified-boot> info verified-boot: policy: enforce zonecfg:zman-kz8:verified-boot> end zonecfg:zman-kz8> verify zonecfg:zman-kz8> commit zonecfg:zman-kz8> exit zman #
Be sure to read the full post for more details.