Solaris 10 LDOM domain boots with the following events: "WARNING: Unsupported bootblk image, can not extract fcode", "WARNING: Bootblk fcode extraction failed"

Asset ID:	1-72-2174444.1
Update Date:	2018-05-01
Keywords:

Solution Type Problem Resolution Sure

Solution 2174444.1 : Solaris 10 LDOM domain boots with the following events: "WARNING: Unsupported bootblk image, can not extract fcode", "WARNING: Bootblk fcode extraction failed"

Applies to:

SPARC T7-4 - Version All Versions to All Versions [Release All Releases]
SPARC T7-2 - Version All Versions to All Versions [Release All Releases]
SPARC T7-1 - Version All Versions to All Versions [Release All Releases]
Information in this document applies to any platform.

Symptoms

A Solaris 10 LDOM domain may boot with the following event displayed on the LDOM domain console.

ok boot ...
   ...
   WARNING: Unsupported bootblk image, can not extract fcode
   WARNING: Bootblk fcode extraction failed
   ...

Changes

Cause

The WARNING event is not an indication of any Hardware fault on the system, but is an expected feature of "Solaris Verified Boot". "Solaris Verified Boot" feature verifies the Solaris boot images using factory signed digital signatures. The intent of this feature is to use only known Digital Signatures in OBP to detect if the current Solaris kernel being loaded has the Oracle factory-signed digital signature.
Currently only Solaris 11 certificates is loaded into the ILOM and there are no Solaris 10 digital certificates.

Through the following settings this feature is configurable from:

- SP (ILOM) : /HOST/verified_boot boot_policy
- HOST (SOLARIS: LDOM): boot-policy

and the default setting of "Solaris Verified Boot" is currently set to "warning". Depending on the settings the expected behavior of "Solaris Verified Boot" is as follow:

enforced = if the solaris kernel does not have the factory signed signature, it does not allow OS to boot
warning = if the solaris kernel does not have the factory signed signature, it just issues a warning message
none = no check is carried out.

and hereby an example:

- SP (ILOM)
-> show /HOST/verified_boot boot_policy
     boot_policy = warning
-> show /HOST/verified_boot/system_certs/1
     issuer      = /C=US/O=Oracle Corporation/OU=VeriSign Trust Network/OU=Class 2 Managed PKI Individual Subscriber CA/CN=Object Signing CA
     subject     = /O=Oracle Corporation/OU=Corporate Object Signing/OU=Solaris Signed Execution/CN=Solaris 11
     valid_from = Mar 1 00:00:00 2012 GMT
     valid_until = Mar 1 23:59:59 2015 GMT

- HOST (SOLARIS: LDOM)
# ldm list-domain -l <domain> | grep boot-policy
    boot-policy=warning

Solution

For Solaris 10 domain, the current recommendation is to ignore the message. If Solaris Verified Boot is not required the feature could be disabled by running the following commands from:

- SP (ILOM)
-> set /HOST/verified_boot boot_policy=none
-> stop /SYS
-> start /SYS

- HOST (SOLARIS: LDOM)
# ldm set-domain boot-policy=none <domain>
# ldm stop-domain <domain>
# ldm start-domain <domain>

Attachments

This solution has no attachment