How to configure verified boot for Solaris kernel zones

Dan from the Verified Boot team has compehensive post of what the team has delivered in Oracle Solaris 11.3 in Kernel Zones Verified Boot, a project which we delivered the initial phase for in Solaris 11.2.

Dan reviews the policy settings we’ve created for Verified Boot:

The policy to use on failures is configurable with three policy settings: none, warning, and enforce:

  • none: disables Verified Boot—that is do no verification before loading a kernel module
  • warning: logs verification failures to the console and system log. The module is loaded and executed, however. This is the default setting
  • enforce: logs and does not load the module (the module fails to load)

He also shares the steps to configure Verified Boot in a Kernel Zone:

zman # zonecfg -z zman-kz8
Use 'create' to begin configuring a new zone.
zonecfg:zman-kz8> create -t SYSsolaris-kz
zonecfg:zman-kz8> set autoboot=true
zonecfg:zman-kz8> add verified-boot
zonecfg:zman-kz8:verified-boot> set policy=enforce
zonecfg:zman-kz8:verified-boot> info

policy: enforce
zonecfg:zman-kz8:verified-boot> end
zonecfg:zman-kz8> verify
zonecfg:zman-kz8> commit
zonecfg:zman-kz8> exit
zman #

Be sure to read the full post for more details.