Activate Secure Boot

Secure Boot is enabled, per CSM card, by providing the card slot, card serial number, and confirmation code with the admin>system>security>secure-boot>activate command.

WARNING: After Secure Boot is activated on a CSM, the capability is permanently enabled and cannot be disabled. The CSM permanently refuses to execute unsigned software for security reasons. As a result, it is not possible to downgrade to a software release published before the release that introduced Secure Boot for a specific platform. For example, Secure Boot support on the 7705 SAR is introduced in software Release 26.4.R2. After activating Secure Boot on the system it cannot be downgraded to software releases before 26.4.R2.

Because the Secure Boot configuration is permanent and cannot be disabled, the card serial number and confirmation code are required to avoid activating it by mistake. The confirmation code is secure-boot-permanent.

The following example shows the warning messages and a prompt for proceeding with Secure Boot activation.

WARNING: CLI This operation will permanently activate secure boot on card A and cannot be
reversed.
WARNING: CLI After activation, the system will only accept digitally signed software and
will not boot using un-signed software.
WARNING: CLI This operation will immediately reset card A.
WARNING: CLI Configuration and/or Boot options may have changed since the last save.
Are you sure you want to continue (y/n)?

After activating Secure Boot, the system verifies that the BOF primary image and the boot.ldr version uses the same software release as the currently running software. If the software releases match, the designated CSM card automatically reboots with Secure Boot enabled; otherwise, an error message is returned. These verifications are made to ensure that the entire boot chain up to the primary image supports Secure Boot before enabling it and rebooting the CSM.