Boot Integrity Visibility

Information About Boot Integrity Visibility

Boot Iintegrity Visibility allows Cisco's platform identity and software integrity information to be visible and actionable. Platform identity provides the platform’s manufacturing installed identity. Software integrity exposes boot integrity measurements that can be used to assess whether the platform has booted trusted code.

During the boot process, the software creates a checksum record of each stage of the bootloader activities.

You can retrieve this record and compare it with a Cisco-certified record to verify if your software image is genuine. If the checksum values do not match, you may be running a software image that is either not certified by Cisco or has been altered by an unauthorized party.


Note

Boot Integrity Visibility is supported only on the active supervisor. It does not support high availability scenarios.

Verifying the Software Image and Hardware

This task describes how to retrieve the checksum record that was created during a switch bootup. Enter the following commands in privileged EXEC mode.


Note

On executing the following commands, you might see the message % Please Try After Few Seconds displayed on the CLI. This does not indicate a CLI failure, but indicates setting up of underlying infrastructure required to get the required output. We recommend waiting for a few minutes and then try the command again.

The messages % Error retrieving SUDI certificate and % Error retrieving integrity data signify a real CLI failure.

SUMMARY STEPS

  1. show platform sudi certificate [ sign [ nonce nonce]]
  2. show platform integrity [ sign [ nonce nonce]]

DETAILED STEPS

  Command or Action Purpose

Step 1

show platform sudi certificate [ sign [ nonce nonce]]

Example:


Device# show platform sudi certificate sign nonce 123

Displays checksum record for the specific SUDI.

  • (Optional) sign - Show signature

  • (Optional) nonce - Enter a nonce value

Step 2

show platform integrity [ sign [ nonce nonce]]

Example:


Device# show platform integrity sign nonce 123

Displays checksum record for boot stages.

  • (Optional) sign - Show signature

  • (Optional) nonce - Enter a nonce value

Verifying Platform Identity and Software Integrity

Verifying Platform Identity

The following example displays the Secure Unique Device Identity (SUDI) chain in PEM format. The first certificate is the Cisco Root CA 2048 and the second is the Cisco subordinate CA (ACT2 SUDI CA). Both certificates can be verified to match those published on https://www.cisco.com/security/pki/. The third is the SUDI certificate. 

 Device# show platform sudi certificate sign nonce 123
-----BEGIN CERTIFICATE-----
MIIDQzCCAiugAwIBAgIQX/h7KCtU3I1CoxW1aMmt/zANBgkqhkiG9w0BAQUFADA1
MRYwFAYDVQQKEw1DaXNjbyBTeXN0ZW1zMRswGQYDVQQDExJDaXNjbyBSb290IENB
IDIwNDgwHhcNMDQwNTE0MjAxNzEyWhcNMjkwNTE0MjAyNTQyWjA1MRYwFAYDVQQK
Ew1DaXNjbyBTeXN0ZW1zMRswGQYDVQQDExJDaXNjbyBSb290IENBIDIwNDgwggEg
MA0GCSqGSIb3DQEBAQUAA4IBDQAwggEIAoIBAQCwmrmrp68Kd6ficba0ZmKUeIhH
xmJVhEAyv8CrLqUccda8bnuoqrpu0hWISEWdovyD0My5jOAmaHBKeN8hF570YQXJ
FcjPFto1YYmUQ6iEqDGYeJu5Tm8sUxJszR2tKyS7McQr/4NEb7Y9JHcJ6r8qqB9q
VvYgDxFUl4F1pyXOWWqCZe+36ufijXWLbvLdT6ZeYpzPEApk0E5tzivMW/VgpSdH
jWn0f84bcN5wGyDWbs2mAag8EtKpP6BrXruOIIt6keO1aO6g58QBdKhTCytKmg9l
Eg6CTY5j/e/rmxrbU6YTYK/CfdfHbBcl1HP7R2RQgYCUTOG/rksc35LtLgXfAgED
o1EwTzALBgNVHQ8EBAMCAYYwDwYDVR0TAQH/BAUwAwEB/zAdBgNVHQ4EFgQUJ/PI
FR5umgIJFq0roIlgX9p7L6owEAYJKwYBBAGCNxUBBAMCAQAwDQYJKoZIhvcNAQEF
BQADggEBAJ2dhISjQal8dwy3U8pORFBi71R803UXHOjgxkhLtv5MOhmBVrBW7hmW
Yqpao2TB9k5UM8Z3/sUcuuVdJcr18JOagxEu5sv4dEX+5wW4q+ffy0vhN4TauYuX
cB7w4ovXsNgOnbFp1iqRe6lJT37mjpXYgyc81WhJDtSd9i7rp77rMKSsH0T8lasz
Bvt9YAretIpjsJyp8qS5UwGH0GikJ3+r/+n6yUA4iGe0OcaEb1fJU9u6ju7AQ7L4
CYNu/2bPPu8Xs1gYJQk0XuPL1hS27PKSb3TkL4Eq1ZKR4OCXPDJoBYVL0fdX4lId
kxpUnwVwwEpxYB5DC2Ae/qPOgRnhCzU=
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
MIIEPDCCAySgAwIBAgIKYQlufQAAAAAADDANBgkqhkiG9w0BAQUFADA1MRYwFAYD
VQQKEw1DaXNjbyBTeXN0ZW1zMRswGQYDVQQDExJDaXNjbyBSb290IENBIDIwNDgw
HhcNMTEwNjMwMTc1NjU3WhcNMjkwNTE0MjAyNTQyWjAnMQ4wDAYDVQQKEwVDaXNj
bzEVMBMGA1UEAxMMQUNUMiBTVURJIENBMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8A
MIIBCgKCAQEA0m5l3THIxA9tN/hS5qR/6UZRpdd+9aE2JbFkNjht6gfHKd477AkS
5XAtUs5oxDYVt/zEbslZq3+LR6qrqKKQVu6JYvH05UYLBqCj38s76NLk53905Wzp
9pRcmRCPuX+a6tHF/qRuOiJ44mdeDYZo3qPCpxzprWJDPclM4iYKHumMQMqmgmg+
xghHIooWS80BOcdiynEbeP5rZ7qRuewKMpl1TiI3WdBNjZjnpfjg66F+P4SaDkGb
BXdGj13oVeF+EyFWLrFjj97fL2+8oauV43Qrvnf3d/GfqXj7ew+z/sXlXtEOjSXJ
URsyMEj53Rdd9tJwHky8neapszS+r+kdVQIDAQABo4IBWjCCAVYwCwYDVR0PBAQD
AgHGMB0GA1UdDgQWBBRI2PHxwnDVW7t8cwmTr7i4MAP4fzAfBgNVHSMEGDAWgBQn
88gVHm6aAgkWrSugiWBf2nsvqjBDBgNVHR8EPDA6MDigNqA0hjJodHRwOi8vd3d3
LmNpc2NvLmNvbS9zZWN1cml0eS9wa2kvY3JsL2NyY2EyMDQ4LmNybDBQBggrBgEF
BQcBAQREMEIwQAYIKwYBBQUHMAKGNGh0dHA6Ly93d3cuY2lzY28uY29tL3NlY3Vy
aXR5L3BraS9jZXJ0cy9jcmNhMjA0OC5jZXIwXAYDVR0gBFUwUzBRBgorBgEEAQkV
AQwAMEMwQQYIKwYBBQUHAgEWNWh0dHA6Ly93d3cuY2lzY28uY29tL3NlY3VyaXR5
L3BraS9wb2xpY2llcy9pbmRleC5odG1sMBIGA1UdEwEB/wQIMAYBAf8CAQAwDQYJ
KoZIhvcNAQEFBQADggEBAGh1qclr9tx4hzWgDERm371yeuEmqcIfi9b9+GbMSJbi
ZHc/CcCl0lJu0a9zTXA9w47H9/t6leduGxb4WeLxcwCiUgvFtCa51Iklt8nNbcKY
/4dw1ex+7amATUQO4QggIE67wVIPu6bgAE3Ja/nRS3xKYSnj8H5TehimBSv6TECi
i5jUhOWryAK4dVo8hCjkjEkzu3ufBTJapnv89g9OE+H3VKM4L+/KdkUO+52djFKn
hyl47d7cZR4DY4LIuFM2P1As8YyjzoNpK/urSRI14WdIlplR1nH7KNDl5618yfVP
0IFJZBGrooCRBjOSwFv8cpWCbmWdPaCQT2nwIjTfY8c=
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
MIIDezCCAmOgAwIBAgIEAc+JiTANBgkqhkiG9w0BAQsFADAnMQ4wDAYDVQQKEwVD
aXNjbzEVMBMGA1UEAxMMQUNUMiBTVURJIENBMB4XDTE3MDgxOTEwNDMzOVoXDTI3
MDgxOTEwNDMzOVowZzEmMCQGA1UEBRMdUElEOkM5MzAwLTI0VVggU046RkNXMjEz
NEwwMEMxDjAMBgNVBAoTBUNpc2NvMRgwFgYDVQQLEw9BQ1QtMiBMaXRlIFNVREkx
EzARBgNVBAMTCkM5MzAwLTI0VVgwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEK
AoIBAQDav5txv4THsqXwWC7AxzHm5MZ28Feqk8FA3tXAv0tV8RXtY4Z9I9XgRzwz
Yw8chknh8LuDMCmGmk8DP+ct++vAF4nkVeIeBeOHnx2RuC9rcR8tuKjCimamDk0M
JHk12w/9+TbdKdNBEy6Sueh1RPVbuSk1oQLQcOYW7CsYC5tI1GkJkfk1nGEK3ni3
ztIpsi7QHyp6k59yccnbzXSdwoBrtbpIIYEk/iHWFRQdlMUunnfIshI7yPneo7V0
NnPc08wk+CA+8XeXk/fnDeGAswKRK1tW9jDP/sY1YubBJNJ4ToqQpG6W/hbNvu3Y
NyS24osSvnn5Bp7on3Rf7eHq9hNjAgMBAAGjbzBtMA4GA1UdDwEB/wQEAwIF4DAM
BgNVHRMBAf8EAjAAME0GA1UdEQRGMESgQgYJKwYBBAEJFQIDoDUTM0NoaXBJRD1V
WUpPVkVZNEZRT0xSbkpwSUUxaGNpQXhNQ0F4Tnpvd05Eb3hNeUFiY1FjPTANBgkq
hkiG9w0BAQsFAAOCAQEASXX+iZLMvHQIR1/s1Pobm0kP/bYeHsgDTRQPRHbCM1HH
ROfjjDaJMHCspB17XtcLkNNFOwyUEkjoepyHjpxxhekGIqgD6Xt4rW6v/058Haw6
QbAhJFGZriVxFoBvW20VQ4ezyaGoqA+0I2GZqD/ZggUy6zsVwKmMe6inoEgXcYap
5GqF4weEoty9u+OKqr3ppWU475lxnNm/h+WHbNtunL6r7wZfe5dFQIxR5QP5gwRa
svpSsCoKm6PiwIUhw25CvtZ9NTg0tu5t5D7aVcxLeR8XbA1pjfgxw/RtSsjNse3+
ZkOgJUESqlxwzxcGUlY+vDINYRQ/sP6y7cT+niT00A==
-----END CERTIFICATE-----

Signature version: 1
Signature:
1809AF26E52292B71217418F6111DDD50707B516937274F30F2DCE6C1FD428C622F459ECC32B3749106AF8DB520AB4DECC93CB7A332A6B8760C3DBF7F77E041F7820F8C076A9D2692C638B9F1A77AA4EB24202DDD8AC7E71E074F9635F5F8B2EE449228439AB74E227DD91D52DE114E8E5A7E8C616AC98E0DB34B35A81D1E0FBA490B2C21F8C08510CB0F21C43A9B7960E064C9E3341BB084067E1CCD025EE412EFD0C6AEECD4DD89A671B5DCA65A9A8DA0E9865505D81F2BFAE3A9E87B4E3CA72F769C6A980A8B47A83808B14C574BE648EBD179BBFD758510810EBD4E18D4B4E833C17CBA75770001A570FFEDE50E023CC80285AC1080FA1DBD6FB8AD9637A

Verifying Software Integrity

The following example displays the checksum record for the boot stages. The hash measurements are displayed for each of the three stages of software successively booted. These hashes can be compared against Cisco-provided reference values. An option to sign the output gives a verifier the ability to ensure the output is genuine and is not altered. A nonce can be provided to protect against replay attacks. 

Device# show platform integrity sign nonce 123
Platform: C9300-24P
Boot 0 Version: MA0081R06.1307262016
Boot 0 Hash: A99EF9F31CE3F3F8533055407F1C88C62176E667E4E1DA0649EAA7A1282F205E0A
Boot Loader Version: System Bootstrap, Version 16.8.0.3, RELEASE SOFTWARE (P)
Boot Loader Hash: F82826514658055C3993AB95F53512341BF20F3CC7D4083C980450EA6CD84608EE636B5B15D13414203CED35603F01974B8676C6AC6F9DC45B25CD1039E686C40A
OS Version: BLD_POLARIS_DEV_LATEST_20171213_030750
OS Hash: E7336A416FB232CA87C73C5C6387EB7244560FBF9F977207D8783C113217DE3DD4CA16C40B16A8CC9841100264D04CAFE3AE863EB94EE561F9851AB167E913830A
PCR0: 9745B571B66D79F0936F4D292B5672B50F50FD1E56E74248D48A33582E992574
PCR8: 1CC295C233DA41BD3530A6F09C21991E8406BFFC88249D7778CA4BB0B9E71EB7
Signature version: 1
Signature:
23E103D9342554D73F16F4CC907F46DA2C66EE69FBAAA47361B286766ADD8172AC6DD9CA259E7E76A5F266FC287312870E2259DB6E9827AB32F943F2B8F77954C4739A8233E7441174567A36E9B0B41A65D964BABA9FA7A53B9DBFF0622A20D780250B25EAA702E38A5FEF2D9A3BD3DA10D74C5C628F538B2A738F1D5875F5F95C339F96C6BD8984374BE92DA20D4447EC8A092B2754ABB706579EBFE0991B6E27427DE8D96162CFDCC3110958F3399783494EDD98FA9C8AAFDC33E91729D14395966F15DE2D0A4A6B2487F3E776E90DAC5060E59B326F67A80A26E6DFD48421B4159F3D52159FA3B11B0170CB766CA29A9F341B67ACFC3A7967F46C41C8A615

Additional References for Boot Integrity Visibility

Related Documents

Related Topic Document Title

For complete syntax and usage information for the commands used in this chapter.

Command Reference (Catalyst 9300 Series Switches)

MIBs

MIB MIBs Link

All the supported MIBs for this release.

To locate and download MIBs for selected platforms, Cisco IOS releases, and feature sets, use Cisco MIB Locator found at the following URL:

http://www.cisco.com/go/mibs

Technical Assistance

Description Link

The Cisco Support website provides extensive online resources, including documentation and tools for troubleshooting and resolving technical issues with Cisco products and technologies.

To receive security and technical information about your products, you can subscribe to various services, such as the Product Alert Tool (accessed from Field Notices), the Cisco Technical Services Newsletter, and Really Simple Syndication (RSS) Feeds.

Access to most tools on the Cisco Support website requires a Cisco.com user ID and password.

http://www.cisco.com/support

Feature History for Boot Integrity Visibility

This table provides release and related information for features explained in this module.

These features are available on all releases subsequent to the one they were introduced in, unless noted otherwise.

Release

Feature

Feature Information

Cisco IOS XE Fuji 16.8.1a

Boot Integrity Visibility

Boot Integrity Visibility allows Cisco's platform identity and software integrity information to be visible and actionable. Platform identity provides the platform’s manufacturing installed identity.

Use Cisco Feature Navigator to find information about platform and software image support. To access Cisco Feature Navigator, go to http://www.cisco.com/go/cfn.