Logo of Trend Micro
Use the Knowledge Base AI to help improve your Cloud Posture

Enable Secure Boot for Compute Instances

Trend Vision One™ provides continuous assurance that gives peace of mind for your cloud infrastructure, delivering over 1100 automated best practice checks.

Risk Level: Medium (should be achieved)

Ensure that the Secure Boot feature is enabled for your Oracle Cloud Infrastructure (OCI) compute instances in order to protect them against malware and rootkits. Secure Boot helps ensure that the system runs only authentic software by verifying the digital signature of all boot components, and halts the boot process if the signature verification fails. Secure Boot is disabled by default because of the third-party unsigned kernel modules that can't be loaded when the feature is enabled. If you don't use third-party unsigned kernel modules, it is highly recommended to enable Secure Boot for your OCI compute instances.

Security

Enabling Secure Boot for shielded OCI compute instances enhances security by ensuring that only authorized software is executed. This protects against boot-level and kernel-level malware, including rootkits, thereby strengthening the overall security of your OCI compute workloads.

Audit

To determine if your shielded OCI compute instances are protected with Secure Boot, perform the following operations:

Using OCI Console

01 Sign in to your Oracle Cloud Infrastructure (OCI) account.

02 Navigate to Compute console available at https://cloud.oracle.com/compute/.

03 Choose the OCI compartment that you want to access from the Compartment dropdown list.

04 In the left navigation panel, under Overview, choose Instances to list the compute instances provisioned in the selected OCI compartment.

05 Click on the name (link) of the compute instance that you want to examine, listed in the Name column.

06 Select the Instance information tab and check the Secure Boot feature status, listed under Launch Options. If Secure Boot is set to Disabled, the Secure Boot security feature is not enabled for the selected Oracle Cloud Infrastructure (OCI) compute instance.

07 Repeat steps no. 5 and 6 for each compute instance deployed within the selected Oracle Cloud Infrastructure (OCI) compartment.

Using OCI CLI

01 Run iam compartment list command (Windows/macOS/Linux) with output query filters to list the ID of each compartment available in your Oracle Cloud Infrastructure (OCI) account: 

oci iam compartment list
	--all
	--query 'data[]."compartment-id"'

02 The command output should return the requested OCI compartment identifiers (IDs): 

[
	"ocid1.tenancy.oc1..aaaabbbbccccddddabcd1234abcd1234abcd1234abcd1234abcd1234abcd",
	"ocid1.tenancy.oc1..aaaabbbbccccddddabcdabcd1234abcd1234abcd1234abcd1234abcd1234"
]

03 Run compute instance list command (Windows/macOS/Linux) with the ID of the OCI compartment that you want to examine as the identifier parameter, the list the ID of each compute instance available in the selected OCI compartment: 

oci compute instance list
	--compartment-id 'ocid1.tenancy.oc1..aaaabbbbccccddddabcd1234abcd1234abcd1234abcd1234abcd1234abcd'
	--region 'ap-sydney-1'
	--all
	--query 'data[]."id"'

04 The command output should return the requested compute instance IDs: 

[
	"ocid1.instance.oc1.ap-sydney-1.aaaabbbbccccddddabcd1234abcd1234abcd1234abcd1234abcd1234abcd",
	"ocid1.instance.oc1.ap-sydney-1.aaaabbbbccccddddabcdabcd1234abcd1234abcd1234abcd1234abcd1234"
]

05 Run compute instance get command (Windows/macOS/Linux) with the ID of the compute instance that you want to examine as the identifier parameter and custom output filters to describe the Secure Boot feature status for the selected instance: 

oci compute instance get
	--instance-id 'ocid1.instance.oc1.ap-sydney-1.aaaabbbbccccddddabcd1234abcd1234abcd1234abcd1234abcd1234abcd'
	--query 'data."platform-config"."is-secure-boot-enabled"'

06 The command output should return the requested feature status: 

false

If the compute instance get command output returns false, as shown in the example above, the Secure Boot feature is not enabled for the selected Oracle Cloud Infrastructure (OCI) compute instance.

07 Repeat steps no. 5 and 6 for each compute instance deployed in the selected OCI compartment.

08 Repeat steps no. 3 – 7 for each OCI compartment available in your Oracle Cloud Infrastructure (OCI) account.

Remediation / Resolution

To enable the Secure Boot feature for your Oracle Cloud Infrastructure (OCI) compute instances, you must re-create your instances by performing the following operations:

Using OCI Console

01 Sign in to your Oracle Cloud Infrastructure (OCI) account.

02 Navigate to Compute console available at https://cloud.oracle.com/compute/.

03 Choose the OCI compartment that you want to access from the Compartment dropdown list.

04 In the left navigation panel, under Overview, choose Instances to list the compute instances provisioned in the selected OCI compartment.

05 Click on the name (link) of the compute instance that you want to re-create and collect all the relevant configuration information.

06 Navigate back to the Instances page, choose Create instance, and perform the following actions to launch a new compute instance:

  1. For Name, provide a unique name for the new instance.
  2. For Create in compartment, select the appropriate OCI compartment.
  3. For Placement, ensure that the required Availability domain is selected. Choose Show advanced options and select the correct Capacity type for the new instance (must match the capacity type of the source instance).
  4. For Security, choose Edit, select Shielded instance, and choose Secure Boot to enable the Secure Boot feature for your compute instance.
  5. For Image and shape, select the appropriate OS image and shape (must match the image and shape of the source instance).
  6. For Primary VNIC information, configure the required networking settings to match the source instance networking.
  7. For Add SSH keys, choose to generate a new SSH key pair or upload a public key that you already have.
  8. For Boot volume, specify the boot volume size and configure encryption in transit and encryption of data at rest.
  9. For Block volumes, choose whether to add one or more block volumes to your instance (must match the source instance disk configuration).
  10. Choose Show advanced options, and configure management, availability, and Oracle Cloud Agent settings (must match the source instance configuration settings).
  11. Choose Create to launch your new Oracle Cloud Infrastructure (OCI) compute instance.

07 Repeat steps no. 5 and 6 for each compute instance that you want to re-create, available within the selected OCI compartment.

Using OCI CLI

01 Run compute instance get command (Windows/macOS/Linux) with the ID of the compute instance that you want to re-create as the identifier parameter, to describe the configuration information available for the selected instance: 

oci compute instance get
	--instance-id 'ocid1.instance.oc1.ap-sydney-1.aaaabbbbccccddddabcd1234abcd1234abcd1234abcd1234abcd1234abcd'
	--query 'data'

02 The command output should return the requested configuration information: 

{
	"display-name": "cc-project5-kb-instance",
	"extended-metadata": {},
	"fault-domain": "FAULT-DOMAIN-2",
	"freeform-tags": {
		"Owner": "Project5Developer"
	},

	...

	"platform-config": {
		"is-measured-boot-enabled": false,
		"is-memory-encryption-enabled": true,
		"is-secure-boot-enabled": false,
		"is-symmetric-multi-threading-enabled": false,
		"is-trusted-platform-module-enabled": false,
		"type": "AMD_VM"
	},

	...

	"source-details": {
		"boot-volume-size-in-gbs": null,
		"boot-volume-vpus-per-gb": null,
		"instance-source-image-filter-details": null,
		"source-type": "image"
	}
}

03 Run compute instance launch command (Windows/macOS/Linux) to create a new shielded Oracle Cloud Infrastructure (OCI) compute instance with Secure Boot: 

oci compute instance launch
	--display-name 'cc-new-project5-kb-instance'
	--compartment-id 'ocid1.tenancy.oc1..aaaabbbbccccddddabcd1234abcd1234abcd1234abcd1234abcd1234abcd'
	--availability-domain 'JyEc:AP-SYDNEY-1-AD-1'
	--subnet-id 'ocid1.subnet.oc1.ap-sydney-1.aaaabbbbccccddddabcdabcd1234abcd1234abcd1234abcd1234abcd1234'
    --image-id 'ocid1.image.oc1.ap-sydney-1.aaaabbbbccccddddabcd1234abcd1234abcd1234abcd1234abcd1234abcd'
	--shape 'VM.Standard.E5.Flex'
	--platform-config '{"isSecureBootEnabled": true}'
	--query 'data."platform-config"."is-secure-boot-enabled"'

04 The command output should return the Secure Boot feature status for the new OCI compute instance: 

true

05 Repeat steps no. 1 - 4 for each compute instance that you want to re-create, available in the selected OCI compartment.

06 Repeat steps no. 1 – 5 for each OCI compartment available in your Oracle Cloud Infrastructure (OCI) account.

References

Publication date Mar 6, 2025

Related Compute rules