Secure Boot

Note: The Secure Boot feature is only supported on the 7210 SAS-K 2F1C2T and 7210 SAS-K 2F6C4T.

The 7210 SAS SR OS Secure Boot ensures that the software executed by the system is trusted and originated from Nokia IP Networks.

At every boot of the control card, each step in the boot process verifies the digital signature of the next software element to ensure its integrity and authenticity, up to and including the 7210 SAS SR OS images. This boot sequence forms the chain of trust for Secure Boot.

Software image signatures use RSA-4096 keys and SHA-384 hashes.

The Secure Boot chain is rooted in the platform CPM firmware, based on UEFI specifications. As such, the Nokia Platform Key, Key Exchange Key, and allowed and disallowed databases are provisioned when Secure Boot is activated to perform the required signature verification.

Firmware updates are also digitally signed and verified using the same principle. The signature verification of a firmware update is performed at boot time by the existing firmware before the firmware update can proceed.

Secure Boot chain

The following figure shows the Secure Boot chain of trust for 7210 SAS SR OS platforms.

Figure 1. Secure boot chain of trust

The software images part of the Secure Boot chain varies among SR OS platforms. This list of software images per platform is described in System initialization, and includes the Boot Loader, boot.tim, and the 7210 SAS SR OS *.tim software images.

Activate Secure Boot

Secure Boot is enabled, per node, by providing the card slot, card serial number, and confirmation code command options.

Use the following command to activate Secure Boot.

admin system security secure-boot activate card "A" serial-number NS123456789 confirmation-code secure-boot-permanent

The following example shows the warning messages and a prompt for proceeding with Secure Boot activation.

This operation will permanently activate secure boot on card A and cannot be reversed.
After activation, the system will only accept digitally signed software and will not boot using un-signed software.
This operation will immediately reset card A.
Are you sure you want to continue (y/n)?

The card serial number and Secure Boot confirmation code are required to avoid accidental activation of Secure Boot in the network. The confirmation code is secure-boot-permanent.

The Secure Boot activate command verifies that the BOF primary image uses the same software release as the currently running software, and automatically reboots the node if the software release matches. Otherwise, an error is generated in the CLI.

Note:

  • The system also verifies the boot.tim version against the running software version on applicable platforms. These verifications ensure that the entire boot chain up to the primary image supports Secure Boot, before activating Secure Boot and rebooting the node.

  • The node must use the latest bootrom that is recommended for use with Secure Boot before activating Secure Boot. Check the 7210 SAS 25.9.R1 release notes to view the bootrom version that support Secure Boot.

WARNING: After Secure Boot is activated on a node, the capability is permanently enabled and cannot be disabled. The node permanently refuses to execute unsigned software for security reasons. As a result, it is not possible to downgrade to a software release published before the release that introduced Secure Boot for a specific platform. For example, 7210 SAS-K 2F1C2T Secure Boot support is introduced in software Release 25.9.R1. After activating Secure Boot on this platform the system cannot be downgraded to software releases before 25.9.R1.

Operational commands and logs

This section describes the following:

Secure Boot state

Secure Boot and UEFI variables Secure Boot keys status is available for each node.

Use the following command to display Secure Boot state information.

show card A detail
Hardware Data
    Secure boot status            : enabled
    UEFI variables status         : ok

where

  • Secure Boot status — indicates if Secure Boot is enabled or disabled
  • UEFI variables status — indicates if Secure Boot variables need updating

At every boot in the security log, the system records if Secure Boot is enabled or disabled for each node. The following is an example of such a log message.

24 2023/05/17 06:09:03.140 EDT MAJOR: SECURITY #2241 Base Card A
"CPM A has booted with a secure-boot status of enabled"
Secure Boot UEFI variables can be obtained for each node using the following command.
tools dump system security secure-boot uefi-var card

The command displays the following x509 certificates and SHA-256 hash UEFI variables:

  • Platform Key (PK)
  • Key Exchange Key (KEK)
  • Allowed Database (DB)
  • Disallowed Database (DBx)

Software update

After Secure Boot is enabled on the system, and before upgrading to a new software release, the user must validate that the new software image is properly signed. This additional verification is required because the system only boots Nokia-signed software images; unsigned or improperly signed images are not booted.

Use the following command to validate the signature of the TiMOS *.tim images contained in the software-image url location referenced in the command. This verification includes boot.tim, support.tim, and both.tim if the files are present in the cf1 or uf1 directory.

admin system security secure-boot validate software-image url

Update Secure Boot variables

The system supports Secure Boot UEFI key updates and revocation using the following commands.

admin system security secure-boot update-key
admin system security secure-boot revoke-key

Secure Boot command reference

Command hierarchies

Secure Boot administration commands

root
    - admin
        - system
            - security
                - secure-boot
                    - activate card cpm-slot serial-number cpm-serial-number confirmation-code code
                    - revoke-key card cpm-slot serial-number cpm-serial-number confirmation-code code
                    - update-key card cpm-slot serial-number cpm-serial-number confirmation-code code software-image file-url
                    - validate software-image url [override-default-boot-image]

Secure Boot tools commands

tools
    - dump
        - system
            - security
                - secure-boot
                    - uefi-vars card cpm-slot

Command descriptions

Secure Boot administration commands

secure-boot
Syntax

secure-boot

Context

admin>system>security

Platforms

7210 SAS-K 2F1C2T and 7210 SAS-K 2F6C4T

Description

Commands in this context administratively provision Secure Boot.

activate
Syntax

activate card cpm-slot serial-number cpm-serial-number confirmation-code code

Context

admin>system>security>secure-boot

Platforms

7210 SAS-K 2F1C2T and 7210 SAS-K 2F6C4T

Description

This command activates Secure Boot to enforce digital signature verification of the software on every boot.

When Secure Boot is activated on a node, the capability is permanently enabled and cannot be disabled.

Parameters
cpm-slot

Specifies the logical CPM slot.

Values

A

cpm-serial-number

Specifies the node serial number, up to 256 characters.

code

Specifies the Secure Boot confirmation code, up to 32 characters.

revoke-key
Syntax

revoke-key card cpm-slot serial-number cpm-serial-number confirmation-code code

Context

admin>system>security>secure-boot

Platforms

7210 SAS-K 2F1C2T and 7210 SAS-K 2F6C4T

Description

This command revokes Secure Boot keys.

Parameters
cpm-slot

Specifies the logical CPM slot.

Values

A

cpm-serial-number

Specifies the node serial number, up to 256 characters.

code

Specifies the Secure Boot confirmation code, up to 32 characters.

update-key
Syntax

update-key card cpm-slot serial-number cpm-serial-number confirmation-code code software-image file-url

Context

admin>system>security>secure-boot

Platforms

7210 SAS-K 2F1C2T and 7210 SAS-K 2F6C4T

Description

This command updates Secure Boot keys.

Parameters
cpm-slot

Specifies the logical CPM slot.

Values

A

cpm-serial-number

Specifies the node serial number, up to 256 characters.

code

Specifies the Secure Boot confirmation code, up to 32 characters.

file-url

Specifies the URL for the software image.

Values

[local-url | remote-url] (up to 180 characters)

where:

  • local-url — [cflash-id/] [file-path]

    180 characters maximum, including cflash-id

    directory length 99 characters maximum each

  • remote-url — [{ftp://| tftp://} login:pswd@remote-locn/][ file-path]

    180 characters maximum

    directory length 99 characters maximum each

    where: remote-locn — [hostname | ipv4-address | ipv6-address]

  • cflash-id — cf1: | uf1:

validate
Syntax

validate software-image url [override-default-boot-image]

Context

admin>system>security>secure-boot

Platforms

7210 SAS-K 2F1C2T and 7210 SAS-K 2F6C4T

Description

This command validates the specified software image.

Parameters
file-url

Specifies the URL for the file.

Values

[local-url | remote-url] (up to 180 characters)

where:

  • local-url — [cflash-id/] [file-path]

    180 characters maximum, including cflash-id

    directory length 99 characters maximum each

  • remote-url — [{ftp://| tftp://} login:pswd@remote-locn/][ file-path]

    180 characters maximum

    directory length 99 characters maximum each

    where: remote-locn — [hostname | ipv4-address | ipv6-address]

  • cflash-id — cf1: | uf1:

override-default-boot-image

Keyword to override the default boot image.

Secure Boot tools commands

secure-boot
Syntax

secure-boot

Context

tools>dump>system>security

Platforms

7210 SAS-K 2F1C2T and 7210 SAS-K 2F6C4T

Description

This command displays Secure Boot settings.

uefi-vars
Syntax

uefi-vars card cpm-slot

Context

tools>dump>system>security>secure-boot

Platforms

7210 SAS-K 2F1C2T and 7210 SAS-K 2F6C4T

Description

This command displays the Secure Boot Unified Extensible Firmware Interface (UEFI) variables.

Parameters
cpm-slot

Specifies the logical CPM slot.

Values

A