Cisco Catalyst 9500 Manual page 60

Verifying Platform Identity and Software Integrity
Verifying Software Integrity
The following example displays the checksum record for the boot stages. The hash measurements are displayed
for each of the three stages of software successively booted. These hashes can be compared against
Cisco-provided reference values. An option to sign the output gives a verifier the ability to ensure the output
is genuine and is not altered. A nonce can be provided to protect against replay attacks.
Note
Boot integrity hashes are not MD5 hashes. For example, if you run verify /md5 cat9k_iosxe.16.10.01.SPA.bin
command for the bundle file, the hash will not match.
The following is a sample output of the show platform integrity sign nonce 123 command in install mode.
This output includes measurements of each installed package file.
Device# show platform integrity sign nonce 123
Platform: WS-XC7R
Boot 0 Version: MA1004R06.1604052017
Boot 0 Hash: A99EF9F31CE3F3F8533055407F1C88C62176E667E4E1DA0649EAA7A1282F205E0A
Boot Loader Version: System Bootstrap, Version 16.8.0.7, DEVELOPMENT SOFTWARE
Boot Loader Hash:
942C2511D0EB10C8F5EC8B3ED529A5F2D210C4154434C6A591BF5553B06CBBE2039DADDD949C05722CABBB1429C41737CFC2C593A814FC87F6FBA0E9A0ADB09B
OS Version: 16.10.01
OS Hashes:
cat9k-cc_srdriver.16.10.01.SPA.pkg :
D0D155C1DEFDB03EB0C64057AD6A9673E2114FA7CCCAAA7ED0AE935CB0BD84E0D0D155C1DEFB03EB0C64057AD6A9673E2114FA7CCCAAA7ED0AE935CB0BD84E0
cat9k-espbase.16.10.01.SPA.pkg :
3EB0C64057AD6A9673E2114FA7CCCAAA7ED0AE935CB0BD84E0D0D155C1DEFDB03EB0C64057AD6A9673E2114FA7CCCAAA7ED0AE935CB0BD84E0D0D155C1DEF43
cat9k-guestshell.16.10.01.SPA.pkg :
B0C64057AD6A9673E2114FA7CCCAAA7ED0AE935CB0BD84E0D0D155C1DEFDB03EB0C64057AD6A9673E2114FA7CCCAAA7ED0AE935CB0BD84E0D0D155C1DEFB03E
cat9k-rpbase.16.10.01.SPA.pkg :
4057AD6A9673E2114FA7CCCAAA7ED0AE935CB0BD84E0D0D155C1DEFDB03EB0C64057AD6A9673E2114FA7CCCAAA7ED0AE935CB0BD84E0D0D155C1DEFB03EB0C6
cat9k-rpboot.16.10.01.SPA.pkg :
AD6A9673E2114FA7CCCAAA7ED0AE935CB0BD84E0D0D155C1DEFDB03EB0C64057AD6A9673E2114FA7CCCAAA7ED0AE935CB0BD84E0D0D155C1DEFB03EB0C64057
cat9k-sipbase.16.10.01.SPA.pkg :
9673E2114FA7CCCAAA7ED0AE935CB0BD84E0D0D155C1DEFDB03EB0C64057AD6A9673E2114FA7CCCAAA7ED0AE935CB0BD84E0D0D155C1DEFB03EB0C64057AD6A
cat9k-sipspa.16.10.01.SPA.pkg :
E2114FA7CCCAAA7ED0AE935CB0BD84E0D0D155C1DEFDB03EB0C64057AD6A9673E2114FA7CCCAAA7ED0AE935CB0BD84E0D0D155C1DEFB03EB0C64057AD6A9673
cat9k-srdriver.16.10.01.SPA.pkg :
4FA7CCCAAA7ED0AE935CB0BD84E0D0D155C1DEFDB03EB0C64057AD6A9673E2114FA7CCCAAA7ED0AE935CB0BD84E0D0D155C1DEFB03EB0C64057AD6A9673E211
cat9k-webui.16.10.01.SPA.pkg :
CCCAAA7ED0AE935CB0BD84E0D0D155C1DEFDB03EB0C64057AD6A9673E2114FA7CCCAAA7ED0AE935CB0BD84E0D0D155C1DEFB03EB0C64057AD6A9673E2114FA7
cat9k-wlc.16.10.01.SPA.pkg :
AA7ED0AE935CB0BD84E0D0D155C1DEFDB03EB0C64057AD6A9673E2114FA7CCCAAA7ED0AE935CB0BD84E0D0D155C1DEFB03EB0C64057AD6A9673E2114FA7CCCA
PCR0: A32CFED4F960494BC1311F7A31B52D5DE90FF501932670CD43AE6DBAD8735052
PCR8: D2F8474CD82072464C11D7F7A3D5C37D078A8AA832D94B1B12E01BF400E0BBB4
Signature version: 1
Signature:
4 A B 3 5 3 B F A A 7 3 5 5 B 5 C F E A 4 0 9 5 8 2 2 B 5 4 0 C E D 0 5 7 7 5 C B 7 6 E C 3 C 4 1 9 B 5 F 6 A 3 F 1 5 C C 2 8 4 4 1 5 E 4 C B 9 4 D 3 A 3 F B 5 E 1 5 0 0 4 1 C 0 7 1 A 7 C E 1 7 4 4 2 A B 8 B 1 1 2 9 7 5 9 3 1 D 3 7 7 1 0 A 5 3 4 2 8 8 E 7 9 4 E 5 5 2 F D 2 B 3 7 F F 4 9 0 4 6 A F 9 F E C 3 4 0 C 2 6 D 6 B E 1 B 8 0 F F 9 F 4 2 E 4 7 B 8 F 1 2 4 3 9 A 7 C 2 9 0 B D 3 D 4 5 4 4 4 9 B 5 D 6 5 F 1 7 0 6 6 C C B 8 E 0 C 4 D 8 A B 0 F A E E 0 3 4 D 2 7 E 5 4 6 6 7 1 1 7 7 A 4 C B C 9 B 4 6 6 9 E D 2 1 8 C 8 7 9 A 3 A A 9 7 2 D 0 0 C 8 6 5 4 9 B 2 0 4 1 C 9 8 8 D 9 9 4 7 5 6 D B 9 0 E B 6 F 2 5 2 8 7 2 1 C 0 9 6 B 6 0 C F 7 D 2 6 0 8 7 B 8 7 1 9 2 D 1 3 9 0 4 D F 3 3 2 3 6 A 9 A 4 A 6 3 4 7 F 8 0 4 3 0 2 B 0 B 9 6 E C 3 4 2 1 8 9 2 C A 1 6 D B B D D F F 7 5 C 1 E A 4 F D 2 0 4 3 1 6 8 D D 2 C 1 6 A 6 4 0 D 2 3 6 6 3 E A F 6 5 B B 3 E 6 1 1 A D F 9 A 7 2 8 C 4 F 8 2 2 9 4 6 6 9 0 0 F B 7 D 2 C 3 8 6 F 0 6 1 B 8 7 4 E 5 3 B 8 2 1 C 9 6 6 8 6 2 8 2 7 7 D A 7 3 7 2 5 4 5 0 7 6 B 1 B 0 B 9 4 4 0 B 7 6 7
The following is a sample output of the show platform integrity sign nonce 123 command in bundle mode.
This output includes measurements of the bundle file and each installed package.
Device# show platform integrity sign nonce 123
Platform: WS-XC7R
Boot 0 Version: MA1004R06.1604052017
Boot 0 Hash: A99EF9F31CE3F3F8533055407F1C88C62176E667E4E1DA0649EAA7A1282F205E0A
Boot Loader Version: System Bootstrap, Version 16.8.0.7, DEVELOPMENT SOFTWARE
Boot Loader Hash:
942C2511D0EB10C8F5EC8B3ED529A5F2D210C4154434C6A591BF5553B06CBBE2039DADDD949C05722CABBB1429C41737CFC2C593A814FC87F6FBA0E9A0ADB09B
OS Version: 16.10.01
System Management Configuration Guide, Cisco IOS XE Amsterdam 17.2.x (Catalyst 9500 Switches)
44
Boot Integrity Visibility