Dell SmartFabric OS10 and SmartFabric Services Security Configuration Guide June 2023
Code and Protect authenticity and integrity
OS10 secure boot provides a mechanism to verify the authenticity and integrity of the OS10 image. Secure Boot protects a system from malicious code being loaded and run during the boot process. Use the secure boot feature to validate the OS10 image during installation and on demand at any time.
Enable secure boot
Enabling the secure boot feature prevents a compromised kernel and system binaries from loading during the boot operation.
OS10(config)# secure-boot enable OS10(config)# exit OS10# write memory
Protect the startup configuration file
Protecting the startup configuration file saves a protected copy of the current startup config file internally. During switch boot up, the protected version of the startup configuration is loaded. Protecting the startup configuration file ensures that a compromised configuration file is not loaded when the system boots.
OS10(config)# secure-boot protect startup-config OS10(config)# exit OS10# write memory
Validate OS10 image file on demand
Validate an OS10 image file anytime to verify the signature of the image files to ensure that the OS10 image is not compromised.
OS10# image verify image-filepath {sha256 signature signature-filepath | gpg signature signature-filepath | pki signature signature-filepath public-key key-file}
For GPG validation, before you validate the OS10 image, use the image gpg-key key-server keyserver.ubuntu.com key-id 7FDA043B command to install the GPG key in the switch keyring.
Validate OS10 kernel, system binaries, and startup configuration file
Validate the OS10 kernel binary image, system binary files, and startup configuration file at system startup. Validating these files at startup ensures that the system does not load a compromised file.
OS10# secure-boot verify {kernel | file-system-integrity | startup-config}
Validate OS10 upgrade image files
Validate the digital signature in the image files before installing an OS10 upgrade. You can use the following command to validate an OS10 image before installing.
OS10# image secure-install image-filepath {sha256 signature signature-filepath | gpg signature signature-filepath | pki signature signature-filepath public-key key-file}
NOTE:When secure boot is enabled, you can only upgrade OS10 using the
image secure-install command.
Validate OS10 image before ONIE OS manual installation
When secure boot is enabled and you manually install an OS10 image using ONIE, you can validate the image using PKI or SHA256.
ONIE:/ # onie-nos-install image_url pki signature_filepathcertificate_filepath
Or
ONIE:/ # onie-nos-install image_url sha256 signature_filepath
Check if secure boot is enabled and the file integrity status
Use the following commands to check the status of the secure boot operation and the file integrity status:
OS10# show secure-boot status Last boot was via secure boot : yes Secure boot configured : yes Latest startup config protected : yes OS10# show secure-boot file-integrity-status File Integrity Status: OK
Enable bootloader protection
To prevent unauthorized users with malicious intent from accessing your switch, protect the bootloader using a GRUB password.
OS10# boot protect enable username username password password OS10# write memory
Check if bootloader protection is enabled
Use the following command to view the status of bootloader protection on the system:
OS10# show boot protect Boot protection enabled Authorized users: root linuxadmin admin
Please provide ratings (1-5 stars).
Please provide ratings (1-5 stars).
Please provide ratings (1-5 stars).
Please select whether the article was helpful or not.
Comments cannot contain these special characters: <>()\