Activate Secure Boot

Secure Boot is enabled on the CPM card by providing the card slot, card serial number, and confirmation code command options.

Use the following command to activate Secure Boot.

admin system security secure-boot activate card "A" serial-number NS123456789 confirmation-code secure-boot-permanent

admin system security secure-boot activate

The following example shows the warning messages and a prompt for proceeding with Secure Boot activation.

WARNING: CLI This operation will permanently activate secure boot on card A and cannot be reversed.
WARNING: CLI After activation, the system will only accept digitally signed software and will not boot using un-signed software.
WARNING: CLI This operation will immediately reset card A.
WARNING: CLI Configuration and/or Boot options may have changed since the last save.
Are you sure you want to continue (y/n)?

The card serial number and Secure Boot confirmation code are required to avoid activating Secure Boot by mistake in the network. The confirmation code is secure-boot-permanent.

The Secure Boot activate command verifies that the BOF primary image uses the same software release as the currently running software and automatically reboots the designated CPM card if the software release matches. Otherwise, an error is generated in the CLI.

Note: The system also verifies the boot.ldr version against the running software version on applicable platforms. These verifications are made to ensure that the entire boot chain up to the primary image supports Secure Boot before activating Secure Boot and rebooting the CPM.

WARNING: After Secure Boot is activated on the CPM, the capability is permanently enabled and cannot be disabled. The CPM permanently refuses to execute unsigned software for security reasons. As a result, it is not possible to downgrade to a software release published before the release that introduced Secure Boot for a specific platform.