Enable Trust in Hardware
Because software alone cannot prove a system's integrity, truly establishing trust must also be done in the hardware using a hardware-anchored root of trust. Without a hardware root of trust, no amount of software signatures or secure software development can protect the underlying system from becoming compromised. To be effective, this root of trust must be based on an immutable hardware component that establishes a chain of trust at boot-time. Each piece of code in the boot process measures and checks the signature of the next stage of the boot process before the software boots.
A hardware-anchored root of trust is achieved through:
Anti-counterfeit chip: All modules that include a CPU, as well as the chassis, are fitted with an anti-counterfeit chip, which supports co-signed secure boot, secure storage, and boot-integrity-visibility.
Secure Unique Device Identifier (SUDI): The X.509 SUDI certificate installed at manufacturing provides a unique device identity. SUDI helps to enable anti-counterfeit checks along with authentication and remote provisioning.
Secure JTag: The JTAG interface is used for debugging and downloading firmware. However, this interface can also be used by attackers to modify firmware or steal confidential information.
Secure Hardware for Strong Cryptography
To uniquely identify a router as a Cisco device, all Cisco IOS XR7 supported platforms are shipped with a non-tamper-able Trust Anchor Module (TAM) in the hardware.
TAM houses known-good-values (KGVs) of the hardware components along with keys and certificates rooted to Cisco. These are used to verify components of the hardware during the BIOS boot.