Secure Software Download

This document describes how to upgrade software from RPD and Cisco cBR by using Secure Software Download feature.

Hardware Compatibility Matrix for Cisco Remote PHY Device


Note
Unless otherwise specified, the hardware components introduced in a given Cisco Remote PHY Device Software Release are supported in all subsequent releases.
Table 1. Hardware Compatibility Matrix for the Cisco Remote PHY Device

Cisco HFC Platform

Remote PHY Device

Cisco GS7000 Super High Output Node

Cisco 1x2 / Compact Shelf RPD Software 2.1 and Later Releases

Cisco GS7000 Super High Output Intelligent Node (iNode)

Cisco 1x2 / Compact Shelf RPD Software 4.1 and Later Releases

Cisco Intelligent Remote PHY Device 1x2

  • PID—iRPD-1X2=

  • PID—iRPD-1X2-PKEY=

Note
The -PKEY suffix in the PID indicates units that enable the SCTE-55-2 Out-of-Band protocol support.

Information About Secure Software Download

The secure software download (SSD) feature allows you to authenticate the source of a code file and verify the downloaded code file before using it in your system. The SSD is applicable to Remote PHY (R-PHY) devices installed in unsecure locations.

The Remote PHY architecture allows RPDs to download code. Hence, authenticating the source and checking the integrity of the downloaded code is important.

To authenticate and verify downloading of the code, SSD helps in verifying the manufacturer signature and the operator signature, if any. The manufacturer signature affirms the source and integrity of the code file to the RPD. If an additional signature is available from the operator, the RPD verifies both signatures with a certificate chain before accepting a code file.

Prerequisites for Upgrading Software using SSD

The following prerequisites are applicable to upgrading RPD software using SSD:

  • The R-PHY node supports downloading software initiated through the GCP message sent from Cisco cBR.

  • RPD supports a secure software download initiated using SSH and CLI directly on the RPD.

  • R-PHY uses TFTP or HTTP to access the server to retrieve the software update file.

How to Upgrade Software from RPD and Cisco cBR Using SSD

Initiating RPD Software Upgrade from Cisco cBR

The RPD software upgrade can be initiated from Cisco cBR-8 Router. Use the following commands for initiating the upgrade:
cable rpd {all|oui|slot|RPD IP|RPD MAC} ssd server_IP {
            tftp|http} file_name [c-cvc-c|m-cvc-c] 
                [CVC Chain File Name]

Initiating Software Upgrade from RPD Using SSD

If you want to initiate the software upgrade from RPD, set the SSD parameters on RPD. Use the following commands.

Setting the value for SSD CVC (Manufacturer's and Co-signer Code Validation Certificates) parameter is optional.

Configure the values for the following parameters

  • SSD server IP address

  • Filename

  • Transport method

ssd set server server_IP filename file_name transport {tftp|http}
ssd set cvc {manufacturer|co-signer} cvc_chain_file_name  
ssd control start

Verifying Software Upgrade Using SSD Configuration

To display the RPD SSD status, use the cable rpd [all|oui|slot|RPD IP|RPD MAC] ssd status command as given in the following example. 
Router# cable rpd all ssd status 
RPD-ID         ServerAddress Protocol Status            Filename 
0004.9f00.0591 192.0.2.0     TFTP     ImageDownloading  image/RPD_seres_rpd_20170216_010001.itb.SSA
0004.9f00.0861 192.0.2.2     TFTP     CodeFileVerified  userid/RPD_seres_rpd_20170218_010001.itb.SSA
0004.9f03.0091 192.0.2.1     TFTP     ImageDownloadFail chuangli/openwrt-seres-rpd-rdb.itb.SSA

The available statuses are the following:

  • CVCVerified

  • CVCRejected

  • CodeFileVerified

  • CodeFileRejected

  • ImageDownloading

  • ImageDownloadSucceed

  • ImageDownloadFail

  • MissRootCA

Examples for Upgrading HA RPHY Software

See examples for the software upgrade from cBR-8 and FCC or Primary eRPD.

Example: HA RPHY Software Upgrade from Cisco cBR


Router# upgrade set server 203.0.113.1 filename bundle/test.itb.sign transport http
Router# upgrade control show config 

file path: bundle/test.itb.sign
server: 203.0.113.1
transport: HTTP
Router# upgrade control start
Router# upgrade control show status.
Downloading image on FCC.



Router# cable rpd group all upgrade 203.0.113.2 http bundle/test.itb.sign 
Router# cable rpd group all upgrade status 
This group 0027.900a.4c1a is not HA-Shelf group.
GROUP-ID: 7abd.44a1.0000  
ServerAddress: 203.0.113.2                           
Protocol: HTTP      
Status: Image downloading on RPDLC                                            
Filename: bundle/test.itb.sign

Example: HA RPHY Software Upgrade from FCC or Primary eRPD


Router# upgrade set server 203.0.113.2 filename bundle/test.itb.sign transport http
Router# upgrade control start       
Router# upgrade control show status 
Downloading image on FCC.
Router# upgrade control abort       
Abort software upgrade process successfully.
Router# upgrade control show status 
Image download aborted.


Router# show cable rpd-upgrade group all status 
GROUP-ID: 7abd.44a1.0000  
ServerAddress: 203.0.113.2                            
Protocol: HTTP      
Status: Idle                                                                  
Filename: bundle/test.itb.sign

Feature Information for Secure Software Download

Use Cisco Feature Navigator to find information about the platform support and software image support. Cisco Feature Navigator enables you to determine which software images support a specific software release, feature set, or platform. To access Cisco Feature Navigator, go to the https://cfnng.cisco.com/ link. An account on the Cisco.com page is not required.


Note

The following table lists the software release in which a given feature is introduced. Unless noted otherwise, subsequent releases of that software release train also support that feature.

Table 2. Feature Information for Secure Software Download

Feature Name

Releases

Feature Information

Upgrade Software Image

Cisco Smart PHY 7200

This feature was introduced on the Cisco Remote PHY Device.