Elfsign Object Signing on Solaris

Solaris Kernel Zones Verified Boot


Verified Boot picture Oracle Solaris 11.3 introduces Kernel Zones Verified Boot. To review, both Solaris Verified Boot and Kernel Zones were introduced in Solaris 11.2.

  • Solaris Verified Boot verifies the RSA digital signatures of Solaris kernel modules before execution. For more information, see my blog on Solaris Verified Boot
  • Solaris Kernel Zones partitions Solaris into multiple virtual computers each running their own independent Solaris kernel
  • Solaris 11.3 extends Verified Boot functionality to Kernel Zones

Chain of Trust

Verified Boot is based on the chain of trust concept. That is, don't use software to perform verification until it is verified itself. The following shows flow control for a Kernel Zone with Verified Boot enabled:

Boot the Global Zone with Verified Boot and Immutable Global Zone enabled
Kernel Zone daemon kzhost verifies zvboot for a kernel zone instance
Kernel Zone zvboot verifies the initial Solaris kernel module unix
Solaris kernel module unix verifies/loads other kernel modules, starting with genunix


We'll start off with a complete example to demonstrate Verified Boot on Kernel Zones. Here I will create a kernel zone with Verified Boot enabled then install and boot the zone.


First verify Kernel Zones is hardware- and software-supported with this command:

zman $ virtinfo -c supported list kernel-zone
kernel-zone: no such supported virtual environment found

Ooops. If this occurs, check if package brand-solaris-kz is installed with:
pkg info brand-solaris-kz
If not installed, then install:
pkg install brand-solaris-kz

In my case, brand-solaris-kz was installed. However, for X86, you also need virtualization enabled in the BIOS. BIOS menus vary, but for me it was under:
Advanced → CPU Setup → enable VT-d (or VT-x)

Let's try again. After updating BIOS and rebooting:

zman $ virtinfo -c supported list kernel-zone
NAME        CLASS     
kernel-zone supported

Configuring Verified Boot Kernel Zones

Here I setup a new Kernel Zone I'll call "zman-kz8" with Verified Boot enabled:

zman # zonecfg -z zman-kz8
Use 'create' to begin configuring a new zone.
zonecfg:zman-kz8> create -t SYSsolaris-kz
zonecfg:zman-kz8> set autoboot=true
zonecfg:zman-kz8> add verified-boot
zonecfg:zman-kz8:verified-boot> set policy=enforce
zonecfg:zman-kz8:verified-boot> info
	policy: enforce
zonecfg:zman-kz8:verified-boot> end
zonecfg:zman-kz8> verify
zonecfg:zman-kz8> commit
zonecfg:zman-kz8> exit
zman # 

The policy to use on failures is configurable with three policy settings: none, warning, and enforce:

  • none disables Verified Boot—that is do no verification before loading a kernel module
  • warning logs verification failures to the console and system log. The module is loaded and executed, however. This is the default setting
  • enforce logs and does not load the module (the module fails to load)

elfsign signature verification chart
Verified Boot elfsign signature verification process

Warning It's important to note that to fully enable Verified Boot, you must set the policy to enforce. This will prevent corrupt and unsigned kernel modules from loading. The warning policy provides no real security as it goes ahead and loads the module. The main intent of warning is to alert system administrators of the presence of unsigned or corrupt kernel modules before enabling the policy to enforce. Corrupt kernel modules should be replaced and unsigned kernel modules should be signed by the software provider or, if not possible, self-signed by you using elfsign(1) (see "elfsign" under "More Information," below).


Now we can install and boot the kernel zone:

zman # zoneadm -z zman-kz8 install
Progress being logged to /var/log/zones/zoneadm.20150609T194158Z.zman-kz8.install
pkg cache: Using /var/pkg/publisher.
 Install Log: /system/volatile/install.2551/install_log
 AI Manifest: /tmp/zoneadm2178.dsa4Le/devel-ai-manifest.xml
  SC Profile: /usr/share/auto_install/sc_profiles/enable_sci.xml
Installation: Starting ...

        Creating IPS image
        Installing packages from:
                origin:  http://pkg.oracle.com/solaris11/release/
        The following licenses have been accepted and not displayed.
        Please review the licenses for the following packages post-install:
        Package licenses may be viewed using the command:
          pkg info --license <pkg_fmri>

DOWNLOAD                                PKGS         FILES    XFER (MB)   SPEED
Completed                            531/531   69332/69332  632.8/632.8  3.4M/s

PHASE                                          ITEMS
Installing new actions                   93363/93363
Updating package state database                 Done 
Updating package cache                           0/0 
Updating image state                            Done 
Creating fast lookup database                   Done 
Installation: Succeeded
        Done: Installation completed in 432.679 seconds.
zman #


Now boot the zone and connect to the zone console:

# zoneadm -z zman-kz8 boot
# zlogin -C zman-kz8

Initially Solaris in the kernel zone runs sysconfig and asks the usual questions about hostname, login name, passwords, and network configuration. Then it boots:

Hostname: zman-kz8
Jun  9 14:24:02 zman-kz8 sendmail[1095]:
My unqualified host name (zman-kz8) unknown; sleeping for retry
zman-kz8 console login: dan
Password: secret
Oracle Corporation      SunOS 5.11      11.3    June 2015
test@zman-kz8:~$ uname -a
SunOS zman-kz8 5.11 11.3 i86pc i386 i86pc
test@zman-kz8:~$ grep Verified /var/adm/messages
Jun  9 14:18:00 zman-kz8 krtld: [ID 909546 kern.info] NOTICE:
Verified boot enabled; policy=enforce
test@zman-kz8:~$ ~.
zman #

As you can see Kernel Zones is booted with Verified Boot enabled. We exit the console by quickly typing "~."

Verified Boot allows third-party and self-signed kernel modules. Signing is performed by elfsign, but the public key X.509 cert must be configured for a kernel zone. The cert is specified using a URL and may be either a file in the Global Zone (file: URL) or accessible via the network in the Global Zone (http: or https: URL). In the example below, I will change the policy of an existing zone to "warning" and add a local (Global Zone) cert file:

zman # zonecfg -z zman-kz8
zonecfg:zman-kz8> select verified-boot
zonecfg:zman-kz8:verified-boot> set policy=warning
zonecfg:zman-kz8:verified-boot> add cert file:///etc/certs/dans-elfsign-key.pem
zonecfg:zman-kz8:verified-boot> info
	policy: warning
	cert: file:///etc/certs/dans-elfsign-key.pem
zonecfg:zman-kz8:verified-boot> end
zonecfg:zman-kz8> verify
zonecfg:zman-kz8> commit
zonecfg:zman-kz8> exit
zman #


Now that Verified Boot is enabled, I'll show what occurs when loading kernel modules that are signed with a correct and incorrect (unauthorized) signatures.

zman /root # zlogin -C zman-kz8
[Connected to zone 'zman-kz8' console]
test@zman-kz8:~/cert-test$ su -
root@zman-kz8:~# modload vboot_test_mod_signed
Jun 9 14:47:52 xman-kz8 vboot_test_mod_signed:
Verified Boot Test Module initialized
root@zman-kz8:~# modload vboot_test_mod_missigned
can't load module: Invalid argument: Jun  9 15:03:56 zman-kz8 krtld:
Signature verification of module /root/vboot_test_mod_missigned failed;
policy is set to "enforce".
Invalid argument
root@zman-kz8:~# ~.
zman # zoneadm list -v
  ID NAME             STATUS      PATH                         BRAND      IP    
   0 global           running     /                            solaris    shared
   2 zman-kz8         running     -                            solaris-kz excl  
zman #

Verified Boot Notes and Tips

Here's some tips about using Verified Boot for Kernel Zones.

  • Usage error: if you get a "usage:" message at "add verified-boot" or "select verified-boot", your version of Solaris is too old to support Verified Boot for Kernel Zones.
  • Memory: the host system should have at least 4 GBytes of available memory for the kernel zone (above what the Global Zone needs) or the system may "hang" during Kernel Zones installation (use prtconf(1M) to find how much memory you have).
  • Policy: The "policy" setting under verified-boot is optional. If left unspecified, Solaris uses the default value ("warning").
  • Certs: certs are optional. They are needed for third-party and self-signed kernel modules signed with elfsign(1). For each RSA x.509 certificate, use "add cert" to add to the list of authorized certs. You may also use "set cert=" followed by a list of certs in double quotes separated by ",". For the local "file:///" cert, the cert file must exist in the host filesystem (zone controller), not the guest, so the Global Zone can pass the cert to the zone guests. Certs accessible from the Global Zone over the network can be specified with "http:" or "https:" URLs.
  • Migration: verified boot policy and cert settings transport with the zone when migrated to another system (whether live, warm, or cold migration).


Dan and dog

Solaris Kernel Zones Verified Boot is available with Solaris 11.3 for newer SPARC and X86 platforms. SPARC T5, M5/M6, or newer platforms support Kernel Zones. X86 must have CPU Virtualization, available with Intel Nehalem or newer or AMD Barcelona or newer (Intel VT-x or VT-d, or AMD AMD-v).

More Information

Here's some sources for further information. More documentation is available at docs.oracle.com


Post a Comment:
Comments are closed for this entry.

Solaris cryptography and optimization.


« November 2015