Secure boot

The SR OS Secure Boot ensures that the software executed by the system is trusted and originated from Nokia IP Routing.

At every boot of the control card, each step in the boot process verifies the digital signature of the next software element to boot for integrity and authenticity up to the SR OS operating system images. This boot sequence forms the chain of trust for Secure Boot.

Software image signatures use RSA-4096 keys and SHA-384 hashes.

The Secure Boot chain is rooted in the platform CPM firmware based on UEFI specifications. As such, Nokia Platform Key, Key Exchange Key, allowed and disallowed databases are provisioned when Secure Boot is activated to perform the required signature verification.

Firmware updates are also digitally signed and verified using the same principle. The signature verification of a firmware update is performed at boot time by the existing firmware before the firmware update can proceed.

Secure Boot chain

Secure Boot is enabled by default and the Secure Boot chain of trust for SR OS platforms can be visualized with the following diagram.

Figure 1. Secure boot chain of trust

Operational commands and logs

This section describes the following:

  • Secure boot state
  • Software update process
  • Update Secure Boot variables

Secure Boot state

Secure Boot and UEFI variables Secure Boot keys status is available per CPM.

Use the following command to display Secure Boot state information.

show card A detail
Hardware Data
    Secure boot status            : enabled
    UEFI variables status         : ok

where

  • Secure Boot status — indicates if Secure Boot is enabled or disabled
  • UEFI variables status — indicates if Secure Boot variables need updating

The system records at every boot in the security log if Secure Boot is enabled or disabled per CPM. The following is an example of such a log message.

24 2023/05/17 06:09:03.140 EDT MAJOR: SECURITY #2241 Base Card A
"CPM A has booted with a secure-boot status of enabled"

Secure Boot UEFI variables can be obtained per CPM card using the following command:

  • MD-CLI
    perform system security secure-boot show uefi-variables card
  • classic CLI
    tools dump system security secure-boot uefi-var card

The command displays the following x509 certificates and SHA-256 hash UEFI variables:

  • Platform Key (PK)
  • Key Exchange Key (KEK)
  • Allowed Database (DB)
  • Disallowed Database (DBx)

Software update

After Secure Boot is enabled, and before upgrading to a new software release, the user must validate that the new software image is properly signed. The main reason for this additional verification on systems with Secure Boot enabled is because the system only boots Nokia-signed software images and does not boot unsigned or improperly signed images.

Use the following command to validate the signature of the TiMOS *.tim images contained in the software-image url location referenced in the command. This verification includes cpm.tim, iom.tim, support.tim, both.tim, kernel.tim, as well as the boot.ldr if present in CF3 directory.

admin system security secure-boot validate software-image url

Update Secure Boot variables

The system supports Secure Boot UEFI key updates and revocation using the following commands.

admin system security secure-boot update-key
admin system security secure-boot revoke-key