Secure Boot Overview - Cisco ASR 5000 Series Administration Manual
Staros release 21.4
Hide thumbs
Also See for ASR 5000 Series:
- Product overview (992 pages) ,
- Installation manual (317 pages) ,
- Administration manual (234 pages)
Table of Contents
Advertisement
Secure Boot Overview
Secure Boot Overview
Cisco Secure Boot places the Root of Trust in a hardware chip device on a circuit card where it cannot be
changed. The first code (microloader) that executes immediately after power on is guaranteed to be legitimate
code from Cisco and programmed during the time of system manufacturing. Furthermore, all software images
can be cryptographically verified against modifications prior to load/execution.
The goal of Cisco Secure Boot technology is to address potential issues associated with unprotected boot
code.
Once a piece of code is validated, it can be trusted and is allowed to assume control of the processor. Each
step of the boot sequence verifies the next step of the boot module via a code-signed module (Chain of Trust).
MIO2 Support for Secure Boot
The ASR 5500 MIO2 supports Secure Boot with a digitally signed image having a Release key. Production
MIO2 cards require an image filename signed with a Release key suffix of .SPA. For example,
asr5500-21.0.0.bin.SPA
Important
Image Naming Conventions
To distinguish signed from unsigned images, Release Engineering adds suffixes to build names for images
that are signed. For example, asr5500-20.0.0.bin.SPA indicates a Release key signed as deployable in a
customer network.
Verifying Authenticity
The Exec mode show software authenticity command displays information about the chain of trust and
authentication process for starfile images.
The syntax for this commend is:
show software authenticity { file url [ validate ] | keys | running }
Notes:
• file url [ validate ] displays authenticity information for starfile images on flash or over the network.
• keys displays public StarOS key information for each of the key storage regions (Primary, Backup), as
• running displays information about the chain of trust for all running software images: StarOS, CFE
For additional information about this command, see the Command Line Interface Reference.
ASR 5500 System Administration Guide, StarOS Release 21.4
476
MIO, DPC and DPC2 cards will also have digitally signed boot images, but they will ignore the signature.
The validate option performs digital signature validation of the image.
well as Rollover key information.
(bootstrap), BIOS/UEFI (Unified Extensible Firmware Interface) and the microloader.
Cisco Secure Boot
Advertisement
Table of Contents
Troubleshooting
