are a few steps to modify an existing driver to successfully go
through the verified boot process. The first step is to obtain a
private key and certificate which will be used to sign the
drivers. Next, the driver is signed using the elfsign utility.
Once the driver is signed and the certificate is installed in the
system, it will properly pass the elfsign verify test; when the system boots, however, it will issue notices until the ILOM is given
the certificate. The following will go through the steps of
creating a binary that should be able to pass verified boot on a bare metal SPARC T5-2 server.
Note that virtualized Solaris instances have different methods to
provide a certificate.
Here are two methods for generating a private key and certificate.
- Self-signing a driver using openssl:
- Create certificate and private key:
- # openssl req -x509 -sha256 -nodes -newkey rsa:2048
-keyout mycompany.key -out mycompany.crt - mycompany.key will contain the private key which should
not be distributed - mycompany.crt will contain a certificate which can be
distributed
- Obtain a certificate from a certificate authority such as
CA.
The key and certificate will allow you to sign a driver. Here is
an example using the “dummy” driver from http://docs.oracle.com/cd/E36784_01/html/E36866/eqbof.html#scrolltoc
The dummy.c was modified to remove some of the cmn_err()
statements to make it less verbose on boot. The build is
performed in root’s home directory /root:
# cc -D_KERNEL -m64 -c dummy.c
# ld -r -o dummy dummy.o
# ln -s /root/dummy /usr/kernel/drv/sparcv9/dummy
# echo ‘name=”dummy” parent=”pseudo”;’ >
/usr/kernel/drv/dummy.conf
As a result of these steps, an unsigned driver was built and installed on the
system. The subsequent reboot is clean, and an attach message from the
driver is seen on the console.
SPARC T5-2, No Keyboard
Copyright (c) 1998, 2015, Oracle and/or its affiliates. All rights
reserved.
OpenBoot 4.38.3, 64.0000 GB memory available, Serial #
Boot device:
/pci@300/pci@1/pci@0/pci@2/scsi@0/disk@w5000cca025073421,0:a File
and args:
SunOS Release 5.11 Version 11.3 64-bit
Copyright (c) 1983, 2015, Oracle and/or its affiliates. All rights
reserved.
NOTICE: Inside dummy_attach
Hostname: p01
p01 console login:
Verified boot can be enabled through the ILOM. Either the CLI or
BUI can be used. Here is an example setting up verified boot
through the CLI:
-> cd /HOST/verified_boot
/HOST/verified_boot
-> set boot_policy=warning
Are you sure you want to set boot_policy=warning (y/n)? y
Set ‘boot_policy’ to ‘warning’
After setting the policy to warning, the boot messages note the
verification warning:
Boot device:
/pci@300/pci@1/pci@0/pci@2/scsi@0/disk@w5000cca025073421,0:a File
and args:
SunOS Release 5.11 Version 11.3 64-bit
Copyright (c) 1983, 2015, Oracle and/or its affiliates. All rights
reserved.
WARNING: Signature verification of module
/usr/kernel/drv/sparcv9/dummy failed
NOTICE: Inside dummy_attach
Hostname: p01
p01 console login:
Signing the driver with the certificate can be done using elfsign:
# elfsign sign -k mycompany.key -c mycompany.crt -e dummy
The certificate needs to be installed in /etc/certs:
# cp mycompany.crt /etc/certs
Once the driver is signed and the certificate is installed, the
binary will pass the elfsign verify:
# elfsign verify -e dummy
elfsign: verification of dummy passed.
However, on reboot, the verification still sends a notice:
Boot device:
/pci@300/pci@1/pci@0/pci@2/scsi@0/disk@w5000cca025073421,0:a File
and args:
SunOS Release 5.11 Version 11.3 64-bit
Copyright (c) 1983, 2015, Oracle and/or its affiliates. All rights
reserved.
WARNING: Signature verification of module
/usr/kernel/drv/sparcv9/dummy failed
NOTICE: Inside dummy_attach
Hostname: p01
p01 console login:
The ILOM must have the certificate loaded so that Solaris can
verify the binary as part of the boot process. The certificate
can be installed via the CLI or BUI. The ILOM documentation has
examples on loading the information using various methods. The
following is an example using a simple web server which has the
public certificate:
-> cd /HOST/verified_boot/user_certs/1
/HOST/verified_boot/user_certs/1
-> load -source http://myserver/mycompany.crt
The certificate can be checked in the ILOM:
-> cd /HOST/verified_boot/user_certs/1
/HOST/verified_boot/user_certs/1
-> show
/HOST/verified_boot/user_certs/1
Targets:
Properties:
clear_action = (Cannot show property)
issuer = /C=US/ST=CA/L=na/O=MyCompany
load_uri = (Cannot show property)
subject = /C=US/ST=CA/L=na/O=MyCompany
valid_from = Apr 5 17:29:23 2016 GMT
valid_until = May 5 17:29:23 2016 GMT
Now, with the binary signed and the certificate in place, Solaris
will boot without notices:
Boot device:
/pci@300/pci@1/pci@0/pci@2/scsi@0/disk@w5000cca025073421,0:a File
and args:
SunOS Release 5.11 Version 11.3 64-bit
Copyright (c) 1983, 2015, Oracle and/or its affiliates. All rights
reserved.
NOTICE: Inside dummy_attach
Hostname: p01
p01 console login:
References:
Solaris Verified Boot Introduction
https://blogs.oracle.com/DanX/entry/verified_boot
Solaris Kernel Zones Verified Boot
https://blogs.oracle.com/DanX/entry/elfsign_object_signing_on_solaris
Solaris 11.3 Documentation – Using Verified Boot
https://docs.oracle.com/cd/E53394_01/html/E54828/gmwce.html#scrolltoc