The documentation set for this product strives to use bias-free language. For the purposes of this documentation set, bias-free is defined as language that does not imply discrimination based on age, disability, gender, racial identity, ethnic identity, sexual orientation, socioeconomic status, and intersectionality. Exceptions may be present in the documentation due to language that is hardcoded in the user interfaces of the product software, language used based on RFP documentation, or language that is used by a referenced third-party product. Learn more about how Cisco is using Inclusive Language.
The BIOS protection feature provides write-protection for the golden ROMMON image and ensures that any upgrades to this image are performed securely.
Without the BIOS protection feature, the golden ROMMON image is vulnerable to corruption by malicious code during software upgrades.
ROMMON images are stored on the SPI flash device as both primary ROMMON and golden ROMMON.
The primary ROMMON is used to boot the device each time it is powered on or restarted. If the primary ROMMON becomes corrupted, the device automatically uses the golden ROMMON to boot the IOS XE software image.
When the device boots from the primary ROMMON, the golden ROMMON remains locked.
With the BIOS protection feature enabled, the golden ROMMON is write-protected and cannot be upgraded using the standard flash utility upgrade mechanism. Access policies for the golden ROMMON are enforced by the FPGA firmware, which blocks unauthorized operations such as write and erase commands on the golden ROMMON SPI flash device.
 Note |
Golden ROMMON upgrade becomes available only after a secure boot FPGA upgrade. |
The upgrade process varies between standalone, high availability, and SVL devices. This table explains how the upgrade process works.
|
Device configuration |
Upgrade process |
|---|---|
|
Standalone device |
When you upgrade in install mode, the primary ROMMON upgrades automatically when the device boots. To upgrade the golden ROMMON, use the capsule upgrade process. |
|
High availability and StackWise Virtual devices |
Perform an In-Service Software Upgrade (ISSU) for devices in a high availability setup. This ISSU process includes FPGA upgrades. If you upgrade in install mode with reload, reload one supervisor at a time. With the standby supervisor in the ROMMON state, boot the active supervisor first. After the ROMMON upgrade completes on the active supervisor, upgrade the FPGA and software image as well. |
The primary ROMMON, primary FPGA, and golden FPGA (secure-boot FPGA) are automatically upgraded when the device boots. In contrast, the golden ROMMON can only be upgraded using the capsule upgrade process, ensuring an additional layer of security for critical boot components.
In a capsule upgrade, a secure update capsule is created and digitally signed, and is used by the primary ROMMON to upgrade the golden ROMMON after authentication. This process requires a secure flash certificate, which is generated using the product key and included in the primary ROMMON image to verify the authenticity of the update capsule. The capsule itself is created using the secure flash certificate along with a secure boot 16 MB flash image, and is then signed to ensure the integrity and authenticity of the upgrade.
When the device boots, the primary ROMMON initiates the capsule upgrade process for the golden ROMMON. To manually perform a capsule upgrade for the golden ROMMON, use the upgrade rom-monitor capsule golden command on a switch or the upgrade rom-monitor capsule golden switch command on a switch stack in privileged EXEC mode.
This section explains what happens during a capsule upgrade.
Feedback