Warning about Installing the Image

Note : The bundle can be copied via Trivial File Transfer Protocol (TFTP) or SCP to the device, and then installed using the bundle install flash: <image name> command. The bin file can NOT be directly booted using the boot system flash:/image_name.

PSIRT ADVISORY - Secure Boot for CGR1000

IMPORTANT INFORMATION - PLEASE READ!

FPGA and BIOS have been signed and updated to new versions.

Going forward, for the 15.8 Release Train, this image 15.8(3)M3b is considered as the baseline. Downgrade is STRICTLY UNSUPPORTED to any versions dated prior to this release date! A bundle install to previous releases will cause an error and fail if attempted. Any manual downgrade [non bundle operations] will impair router functionality thereafter.

Note : Due to FPGA/BIOS upgrade cycles, the normal router upgrade/boot time may seem longer than usual. This will occur only on this release. Do not power cycle the device and wait until the IOS prompt is available.

For additional information on the PSIRT see the following:

https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20190513-secureboot

SD Card Password Protection Warning on the CGR1000

The SD Card password location has been changed, which results in an updated FPGA upgrade. As a result, the user is requested to DISABLE the SD Card password protection just prior to the upgrade process. Once upgraded, the user is requested to re-enable the same. This is MANDATORY.

Command Line Interface

To disable before upgrade:

Save the configuration and reload for changes to take effect.

To validate:

To re-enable sd-card password protection POST UPGRADE:

Save and reload

To validate after reload:

From 15.8(3)M2, SSH to the Guest-OS (IOx) shell is disabled by default.

The ssh access can be enabled using a hidden script for PRIV15 users by following command:

To again disable ssh access to highest privilege user again, run following command:

Cisco IOS Release 15.8(3)M3b

The following sections list caveats for Cisco IOS Release 15.8(3)M3b:

Open Caveats

■ CSCvq71700

Reload-pending status still shows yes even after SD Card password is disabled and reloaded.

Impact : None, just display of status issue.

Workaround : None

■ CSCvo78253:

Description : iox hyp sched-policy 100 option does not work.

Workaround : Setting values up until 90 works.

■ CSCvr02717:

Description : DOT11 radio hard reset after sending/receiving traffic via Wifi port on CGR1120.

Symptoms : Results in the dot11 Radio 2/1 interface going into a “down down” state until a reload of the IOS.

Workaround : Reload the router to recover the interface.

■ CSCvz71834:

Description : GOS/IOx failing to re-register with IOS, and failing to retry.

Symptoms : GOS is failing to retry to register, and establish the connection after an Initial IOS bootup succeeds. This occurrence is random and very rarely observed.

Workaround : Restart the guest-os with the guest-os 1 restart command.

Resolved Caveats

The following caveats are fixed with this release:

■ CSCvo60928

Description : SD Card password lock

Symptoms : In some scenarios, CMOS batteries would fail to work under extreme cold conditions and lock up SD Card password. As a solution, SD Card password has been moved to different location.

Workaround : None

■ CSCvr86602

Description : Possible corruption of the SD Card

Symptoms : In some rare scenarios, a race condition occurred when two processes were trying to access the same file. This created an environment where it could trigger SD Card corruption.

Workaround : N/A

Any Internet Protocol (IP) addresses and phone numbers used in this document are not intended to be actual addresses and phone numbers. Any examples, command display output, network topology diagrams, and other figures included in the document are shown for illustrative purposes only. Any use of actual IP addresses or phone numbers in illustrative content is unintentional and coincidental.

© 2020 Cisco Systems, Inc. All rights reserved.