BootZ

Note:

BootZ is supported on 7250 IXR-6e and 7250 IXR-10e CPM4 with Root of Trust. Ensure you obtain a bootstrapping RTU (Right to Use) license, and purchase new devices with an OS kit with BootZ enabled by default instead of ZTP.

BootZ is a gRPC-based protocol used to bootstrap a network device securely.

To enable device bootstrapping, BootZ defines the boot process and provides a specification that enumerates the data elements that allows a vendor-agnostic implementation.

The SR Linux implementation of BootZ is currently a partial application of the BootZ specification and is evolving to meet all aspects of the BootZ protocol .

The SR Linux BootZ implementation uses DHCP and bootstrap servers to initiate the bootstrapping of source data. Currently, only the bootstrap process from DHCP discovery to successful processing of the bootstrap data is supported.

In BootZ implementation, the DHCP server provides the CPM with unsigned redirect information, which includes a list of bootstrap servers. The CPM then uses this information to execute the bootstrapping RPCs against the list of bootstrap servers.

BootZ components

On-boarding device

Nokia router that you want to provision and connect to your network.

DHCP server

The DHCP server provides the node with the location of the bootstrap BootZ server.

BootZ bootstrap server

The BootZ bootstrap server hosts the bootstrapping data, which includes the OS version and initial device configuration. The bootstrap servers use gRPC methods to communicate with the on-boarding devices.

The on-boarding device uses RPC GetBootstrappingData to initiate the BootZ process with the BootZ server. The RPC method uses the structure, GetBootstrapDataRequest for the request data and the structure, GetBootstrapDataResponse for the response data. The structure, GetBootstrapDataResponse contains the bootstrapping data. It also includes the initial gNSI artifacts, such as, certz, pathz, authz, and credential artifacts, which are required to enable the device to proceed with enrollment and attestation or to bring the device fully into a production state.

The on-boarding device uses RPC, ReportProgress to report its bootstrapping progress to the BootZ server.

Bootstrapping artifacts

Bootstrapping artifacts are as follows:
  • Redirect information: Refers to the data provided to an on-boarding device that directs it to an alternative server or endpoint for obtaining further configurations or bootstrapping data.
  • On-boarding information: On-boarding information supplies the data required for a device to bootstrap and establish secure connections with other systems.
  • Ownership Voucher: To support BootZ, an Ownership Voucher (OV) must be obtained by submitting a request to Nokia Support. The request must include the Pinned Domain Certificate (PDC) and the order details containing the router serial number provided to Nokia during the OV request. Nokia generates an ownership voucher and sends it back as a response to the ownership voucher request.
  • Ownership certificate: Represents an X.509 certificate that binds an owner identity to a public key, allowing a device to validate a signature on the on-boarding information artifact. It is provided to the device via the bootstrap server. The ownership certificate is validated against the PDC, which is contained in the Ownership Voucher.

BootZ process

  1. Ensure that you obtain a bootstrapping RTU (Right to Use) license and purchase new devices with an OS kit, with BootZ enabled by default, instead of ZTP.
  2. Ensure that you obtain an Ownership Voucher (OV) by submitting a request to Nokia Support. The request must include the Pinned Domain Certificate (PDC), along with the order details containing the serial numbers of the CPM.

  3. Ensure that DHCP and BootZ bootstrap servers are configured in the network.

  1. At the installation site, the BootZ OS kit triggers the initialization of the secure bootstrapping process.
  2. DHCP discovery of BootZ Bootstrap server
    1. The node boots up and initiates a DHCP request to the DHCP server.
    2. The DHCP server assigns an address to the requesting node and provides a list of bootstrap server URIs. The DHCP response contains the option code, OPTION_V4_SZTP_REDIRECT(143) or OPTION_V6_SZTP_REDIRECT(136). The response code, OPTION_V4_SZTP_REDIRECT(143) is the DHCP v4 code for IPV4 addressing, and OPTION_V6_SZTP_REDIRECT(136) is the DHCP v6 code for IPV6 addressing. The URI is in the following format: bootz://<host or ip>:<port>.
  3. Bootstrapping service
    1. The router sends the GetBootstrappingData RPC to the bootstrap server obtained from the DHCP server. The device establishes a gRPC connection to the BootZ server. The device must use its unique IDevID certificate to establish and secure the TLS connection to the BootZ server.The IDevID certificate is permanently programmed in the TPM of the control card. During the BootZ process, the IDevID certificate is fetched from the TPM. For more information on TPM, see TPM Keys (IDevID and IAK).
    2. The BootZ server sends a response in the structure GetBootstrapDataResponse. The GetBootstrapDataResponse contains the bootstrapping data and includes the initial gNSI artifacts, such as certz, pathz, authz, credential artifacts, and initial device configurations. The bootstrap data is signed by an ownership certificate. After the on-boarding data is validated, the device processes the on-boarding data, which includes the OS version, link/URL to download the OS image, and initial device configuration scripts.
    3. The device validates the Ownership Voucher using one of the stored trust anchor certificates and then uses the Pinned Domain Certificate in the ownership voucher to authenticate the ownership certificate. Before accepting on-boarding data, the device verifies if the on-boarding data is signed by the ownership certificate, which was previously validated by the device. If the signature verification fails, the Bootstrap process restarts from step 2.
  4. Report progress
    1. When the router obtains the on-boarding information, it reports the bootstrapping progress to the BootZ server using RPC ReportProgress.
  5. The router downloads the OS image, verifies its hash, checks if the image version from bootstrap data differs from the current running version, and installs the OS if needed ( if a new version is different from the currently running version). The router then runs the post-installation scripts and becomes operational. A reboot is required if the image version differs from the current running image. The post-installation script is run after the device boots with the new version.
  6. After the device boots up with the new image, it runs the post-installation script provided by the bootstrap server and sends a final report.