Instructions for Addressing the Cisco Secure Boot Hardware Tampering Vulnerability on Cisco ASR 1000 Series Routers

This document provides instructions on how to address the Cisco Secure Boot Hardware Tampering Vulnerability on Cisco ASR 1000 Series Routers.


Note

Cisco recommends upgrading Field Programmable Gate Arrays (FPGA) as a solution for the Cisco Secure Boot Hardware Tampering Vulnerability. For more details of the vulnerability and affected products, refer https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20190513-secureboot.


Prerequisites for Upgrading FPGA

Download the image from the CCO website and copy it to USB or bootflash of the router which is scheduled for the upgrade.

Table 1. FPGA Versions and Images

S. No

Platforms

FPGA Version

CCO URL for the FPGA Image

1

ASR1001-X

19060309

FPGA Upgrade Tool

2

ASR1002-HX

19030211

FPGA Upgrade Tool

3

ASR1001-HX

19030215

FPGA Upgrade Tool


Note

Do not perform any power cycle or remove the power cable during the FPGA upgrade. If there is a power loss during the upgrade, it may result in corruption of the boot image and it may require RMA of the equipment.


Upgrading FPGA

To upgrade FPGA, run the upgrade utility image:

Procedure


Step 1

Copy the utility to USB or to bootflash: using FTP or TFTP.

Step 2

Save the current running configurations and backup it to bootflash.


Router#copy running-config bootflash:running-config_15may2019
Destination filename [running-config_15may2019]?
6222 bytes copied in 0.536 secs (11608 bytes/sec)
Router#
 
Router#write memory
Building configuration...
[OK]
Router# 
Step 3

Note down the configuration register value and change it to 0x0..

Router#show version | in Configuration
Configuration register is 0x2102
WLC#

Router#configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
Router(config)#config-register 0x0
Router(config)#end
Router#write 
Step 4

Issue the router reload command and ensure that the Rommon prompt is displayed on the router.

Router#reload
 
System configuration has been modified. Save? [yes/no]: yes
Building configuration...
[OK] 
Step 5

Initiate the upgrade using the following CLI, and follow the instructions from the tool.

Note 

If the image is copied in USB, execute the following command:

boot usb0:ASR1K-fpga_prog.16.0.1.xe.bin

If the image is copied in Bootflash, execute the following command:

boot bootflash:ASR1K-fpga_prog.16.0.1.xe.bin

rommon 2 > boot bootflash:ASR1K-fpga_prog.16.0.1.xe.bin
File size is 0x015a3814
Located ASR1K-fpga_prog.16.0.1.xe.bin
Image size 22689812 inode num 32, bks cnt 5540 blk size 8*512
##############################################################################################################################################################################################################################
Boot image size = 22689812 (0x15a3814) bytes
 
ROM:RSA Self Test Passed
ROM:Sha512 Self Test Passed
 
Package header rev 1 structure detected
Calculating SHA-1 hash...done
validate_package_cs: SHA-1 hash:
calculated c55a44e3:d0433d49:ef3e0f29:04956cc7:3232af02
expected c55a44e3:d0433d49:ef3e0f29:04956cc7:3232af02
Validating main package signatures
 
RSA Signed RELEASE Image Signature Verification Successful.
Image validated
 
Cisco ASR1K FPGA Programming Utility
 
****************************************
** **
** DO NOT TURN OFF THE POWER OR **
** RESET THE BOX DURING THE UPGRADE **
** **
****************************************
 
Press 'Y' or 'y' to upgrade
or any other key to reboot
 
Detected Board Type: ASR1001-X
 
SPI Flash Device ID: 009d6016
 
Programming Flash...
|.......|.......|.......|.......|.......|.......|.......|.......|
################################################################
Verifying Flash...
|.......|.......|.......|.......|.......|.......|.......|.......|
################################################################
FPGA image verified correctly !!
 
Router Power Cycle is needed for the changes to take effect
 
Press a key to Power cycle...
 
Power cycling the box...
 
 
à
 
Initializing Hardware...
 
System integrity status: 00000610
U
 
System Bootstrap, Version 16.9(4r), RELEASE SOFTWARE
Copyright (c) 1994-2018 by cisco Systems, Inc.
 
Current image running: Boot ROM1
Last reset cause: PowerOn
 
ASR1001-X platform with 4194304 Kbytes of main memory 
Important 
********************************

The following message confirms the upgrade is successful:

FPGA image verified correctly !!

In this case, skip Step 6 and Step 7, and proceed to Step 8 for verification.

Step 6

If the Upgrade is not successful, the following message appears: FPGA image failed to verify correctly !!

Retry the upgrade by issuing Yes.


Use can issue “y” or “Y” to retry.
 
Detected Board Type: ASR1001-HX
SPI Flash Device ID: 00202015
 
Programming Flash...
|.......|.......|.......|.......|.......|.......|.......|.......|
################################################################
Verifying Flash...
|.......|.......|.......|.......|.......|.......|.......|.......|
 
FPGA image failed to verify correctly !!
 
Upgrade failed. Retrying...
 
Cisco ASR1K FPGA Programming Utility
 
****************************************
** **
** DO NOT TURN OFF THE POWER OR **
** RESET THE BOX DURING THE UPGRADE **
** **
****************************************
 
Press 'Y' or 'y' to upgrade
or any other key to reboot
 
Detected Board Type: ASR1001-HX
 
SPI Flash Device ID: 00202015
 
Programming Flash...
|.......|.......|.......|.......|.......|.......|.......|.......|
################################################################
Verifying Flash...
|.......|.......|.......|.......|.......|.......|.......|.......|
################################################################
FPGA image verified correctly !!
 
Router Power Cycle is needed for the changes to take effect
 
Press a key to Power cycle...
 
Power cycling the box...
 
ýü
 
Initializing Hardware...
 
System integrity status: 90170400 12030106
 
U
 
System Bootstrap, Version 16.3(2r), RELEASE SOFTWARE
Copyright (c) 1994-2016 by cisco Systems, Inc.
 
Current image running: Boot ROM0
 
Last reset cause: CPU-ResetRequest
 
ASR1001-HX platform with 8388608 Kbytes of main memory
 
rommon 1 > 
Step 7

After the retry, if the upgrade still fails, reach out to Cisco TAC for further assistance.

Step 8

After the upgrade is complete, device power cycles automatically, and the rommon prompt is displayed to boot the IOS image.

Sample IOS boot steps are:
 
rommon 1 > dir bootflash:
File System: EXT2/EXT3
 
15 526240224 -rw-r--r-- asr1001x-universalk9.03.16.06.S.155-3.S6-ext.SPA.bin
 
rommon 2 > boot bootflash:asr1001x-universalk9.03.16.06.S.155-3.S6-ext.SPA.bin 
Step 9

Revert back the configuration register value to its original value.

Router#configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
Router(config)#config-register 0x2102
Router(config)#end
Router#write 

Verifying FPGA Upgrade

To verify the FPGA upgrade, use the following command:

Router#show hw-programmable 0
Hw-programmable versions
 
Slot CPLD version FPGA version
-----------------------------------------------------------
0 19022811 N/A 
 

Note

Verify the CPLD version with the platforms given in Table 1.