Attestation
Attestation is a mechanism used to attest the software’s integrity. The verifier trusts that the attested data is accurate
because it is signed by a TPM whose key is certified by the CA.
Attestation Identity Key
An Attestation Identity Key (AIK) is a restricted key that is used for signing attestation requests.
Bootloader
The bootloader is a piece of code that runs before any operating system begins to run. Bootloaders contain several ways to
boot the OS kernel and also contain commands for debugging and modifying the kernel environment.
Certificates and Keys in TAm
All database keys are signed by the KEK. Any update to the keys requires the KEK or PK to sign in, using time-based authentic
variables. Some of the keys on the database are:
-
Image signing certificate: This is the X.509 certificate corresponding to the public key and is used for validating the signature
of grub, initrd, kernel, and kernel modules.
-
IOS-XR Key: A public key certificate signed by the KEK. This key is common to all Cisco 8000 Series routers and is used to sign GRUB, initrd, kernel and kernel modules.
-
RPM key: Used for signing RPMs.
-
IMA public key certificate: Used for Integrity Measurement Architecture (IMA), and used to validate the IMA signature of the
files.
-
BIOS or Firmware Capsule Update key: Used to sign the outer capsule for BIOS or firmware updates. It is the same as the secure
boot key.
-
Platform key (PK) and Key Enrollment Key (KEK): These are public keys and certificates used to manage other keys in the TAM.
-
LDWM Key: In the Cisco IOS XR7, the LDWM key is stored in the hardware trust anchor module and is used for validating the
BIOS.
Golden ISO (GISO)
A GISO image includes a base binary artifact (an ISO) for the Linux distribution that is used on the server fleet, packages,
and configuration files that can be used as a base across all servers.
The GISO image for Cisco IOS XR7 software contains the IOS XR RPMs, third-party RPMs, ztp.ini, and secure ZTP certificates .
GRand Unified Bootloader (GRUB)
GNU GRUB (or just GRUB) is a boot loader package that loads the kernel and supports multiple operating systems on a device.
It is the first software that starts at a system boot.
Hash Function
A hash function is any function that is used to map data of arbitrary size onto data of a fixed size.
Initramfs
Initramfs, a complete set of directories on a normal root filesystem, is bundled into a single cpio archive and compressed
with one of the several compression algorithms. At boot time, the boot loader loads the kernel and the initramfs image into
memory and starts the kernel.
initrd
initial RAM disk is an initial root file system that is mounted before the real root file system is made available. The initrd
is bound to the kernel and loaded as part of the kernel boot procedure.
JTAG
JTAG is a common hardware interface that provides a system with a way to communicate directly with the chips on a board. JTAG
is used for debugging, programming, and testing on embedded devices.
Nonce Value
A nonce value is an arbitrary number that can be used only once in a cryptographic communication. It is a random or pseudo-random
number that is issued in an authentication protocol to ensure that the old communications are not reused in replay attacks.
Platform Configuration Register (PCR)
A PCR is a shielded register or memory region large enough to hold the contents of a hash operation. A PCR is initialized
to a well-known value at power-up, and typically cannot be reset.
PCR Extend
The only way to change the value held in a PCR is to perform an “extend” operation, which is defined as:PCR[x]new = hash ( PCR[x]old || hash ( measurement value ) )
Trust Anchor module (TAm)
The Cisco Trust Anchor module (TAm) helps verify that Cisco hardware is authentic and provides additional security services.
Trusted Platform Module (TPM)
A Trusted Platform Module (TPM) is a specialized chip on an endpoint device that stores RSA encryption keys specific to the
host system for hardware authentication. This key pair is generated by the TPM based on the Endorsement Key and an owner-specified
password.
Root of Trust for Storage
TPM 2.0-compliant Platform Configuration Registers (PCRs) form the Root of Trust for Storage.