BIOS protection feature enables write-protection and secure upgrade of the golden ROMMON image. ROMMON is a bootstrap program
that initializes the hardware and boots the Cisco IOS XE software image when you power on or restart the device. ROMMON upgrades
can be required to resolve firmware defects or to support new features. Typically, ROM Monitor upgrades are infrequent and
not required for every Cisco IOS XE software upgrade.
Without BIOS protection feature, golden ROMMON may be corrupted by malicious code during software upgrades.
ROMMON images are stored on the SPI flash device as primary ROMMON and golden ROMMON. Primary ROMMON boots every time the
device is powered on or restarted. If the primary ROMMON gets corrupted, the device uses the golden ROMMON to boot the IOS
XE software image. When the device boots from the primary ROMMON, golden ROMMON is locked. With BIOS protection, golden ROMMON
is made write-protected and cannot be upgraded using the flash utility upgrade mechanism. Access policies are governed by
the FPGA firmware. FPGA blocks the disallowed operations such as write, erase etc on the golden ROMMON SPI flash device.
Golden ROMMON upgrade is not enabled without secure-boot FPGA upgrade.
Primary ROMMON, primary FPGA and golden FPGA (secure-boot FPGA) is automatically upgraded when the device boots. Golden ROMMON
can only be upgraded using the capsule upgrade.
The upgrade process varies between standalone and high availability systems and is explained below.
For a standalone device, when your upgrade the device in install mode, the primary ROMMON is automatically upgraded when the
device boots. Golden ROMMON can be upgraded using the capsule upgrade.
High Availability and StackWise Virtual Systems
We recommend that you perfom In-Service-Software-Upgrade (ISSU) for devices in a high availability setup. FPGA upgrades occur
as part of ISSU.
If you are performing the upgrade in install mode with reload, do not reload both the supervisors at the same time. With the
standby supervisor in ROMMON state, boot the active supervisor. When ROMMON upgrade is completed on each supervisor, FPGA
and software image is upgraded.
Boot the standby supervisor and allow the standby supervisor to upgrade and reach standby hot state.
In a capsule upgrade, a secure update capsule is created and signed which is used by the primary ROMMON after authentication
for upgrading the golden ROMMON. The secure update capsule requires a secure flash certificate. Secure flash certificate is
created using the product key and added to the primary ROMMON image to verify the authenticity of the update capsule. A capsule
is now created using the secure flash certificate and a secure boot 16 MB flash image and signed.
When the device boots, the primary ROMMON triggers the capsule upgrade for the golden ROMMON. To perform capsule upgrade for
the golden ROMMON, use the upgrade rom-monitor capsule golden switch command in privileged EXEC mode.
The following processes occur in a capsule upgrade:
The device checks if secure-boot FPGA upgrade is enabled. If not, the process exits.
The device checks if bootloader protection is enabled. If not, a one-time upgrade of primary ROMMON, golden ROMMON, and primary
FPGA is initiated.
If bootloader protection is already active, IOS copies the secure update capsule to bootflash and the device reboots.
When the device reboots, secure update capsule is picked for performing the upgrade.
Feature History for BIOS Protection
This table provides release and related information for features explained in this module.
These features are available on all releases subsequent to the one they were introduced in, unless noted otherwise.
Cisco IOS XE Gibraltar 16.12.1
BIOS Protection feature enables write-protection and secure upgrade of the golden ROMMON image.
Cisco IOS XE Amsterdam 17.1.1
Support for capsule upgrade for golden ROMMON using upgrade rom-monitor capsule switch active command was enabled.
Use Cisco Feature Navigator to find information about platform and software image support. To access Cisco Feature Navigator,
go to http://www.cisco.com/go/cfn.