Skip to main content
  • Place orders quickly and easily
  • View orders and track your shipping status
  • Enjoy members-only rewards and discounts
  • Create and access a list of your products
  • Manage your Dell EMC sites, products, and product-level contacts using Company Administration.

Dell SmartFabric OS10 User Guide Release 10.5.3

PDF

Enable secure boot in OS10

Enabling the secure boot feature prevents the OS10 software (kernel and system binaries) from being compromised during the boot operation.

Secure boot is disabled by default. To enable secure boot, use the secure-boot enable command or RESTCONF API.

NOTE: On some switches, OS10 secure boot is enabled by default

OS10 stores the kernel signatures and system-file hashes internally. When you enable secure boot, OS10 uses the signatures and hashes to validate the binaries during the next and future reboots.

OS10 has two images, A and B. One image is active, which is the current running version and used as the running software at the next system reload. The other image remains standby, used for software upgrades.

NOTE: When you reload the switch from OS10 to ONIE and when secure boot is enabled in OS10, select ONIE from the BIOS to boot. You cannot directly go to ONIE from OS10, when secure boot is enabled.

You can use the secure-boot verify command to validate the kernel, system binaries, and startup configuration file for both the installed images at any time.

secure-boot verify {kernel | file-system-integrity | startup-config}

After a switch reboot:

  • If kernel binary file validation fails, OS10 returns to the GRUB menu. The system returns to the GRUB menu when the kernel binary, kernel signature file, or both have been compromised. To load OS10, reboot your system using the other OS10 image. After OS10 loads, reinstall the OS10 image to replace the invalid image.
  • If the OS10 system binary file validation fails, the OS10 image loads only in EXEC mode. Configuration mode is blocked. You can reboot your system using the other OS10 image and replace the invalid image with a valid OS10 image.
  • If both the installed OS10 images are compromised, you must install a new image using ONIE. For more information, see Installation using ONIE.
  • If the validation of the kernel and OS10 system binary files succeeds, OS10 loads successfully.
NOTE: If you are installing OS10 image using zero touch deployment (ZTD):
  • Secure boot is disabled after ZTD reloads the switch.
  • ZTD cannot validate the image with Dell public key (PKI/sha256/GPG keys) and hence cannot perform secure installation of the OS10 image. However, if secure boot configuration is present in the ZTD configuration file, it is applied and the following secure boot features are available after installation:
    • Kernel validation during reboot
    • OS10 system binary files validation during reboot
    • Startup configuration file protection
    • All secure boot CLI commands are available
After the switch reboots, the system applies the protected version of the startup configuration. If a protected version of the startup configuration file is not available, the system applies the default configuration. You can check the status of the secure boot operation using the show secure-boot status and show secure boot file-integrity-status commands. The show command output displays the combined status of various secure boot features, including:
  • Was secure boot used for the last reboot?
  • Is secure boot enabled?
  • Is the startup configuration protected?
  • Were any OS10 binary files added, modified, or deleted?
OS10# show secure-boot status
Last boot was via secure boot : yes
Secure boot configured : yes
Latest startup config protected: yes
OS10# show secure-boot file-integrity-status
File Integrity Status: OK

Rate this content

Accurate
Useful
Easy to understand
Was this article helpful?
0/3000 characters
  Please provide ratings (1-5 stars).
  Please provide ratings (1-5 stars).
  Please provide ratings (1-5 stars).
  Please select whether the article was helpful or not.
  Comments cannot contain these special characters: <>()\