Information About Boot Integrity Visibility

Boot Iintegrity Visibility allows Cisco's platform identity and software integrity information to be visible and actionable. Platform identity provides the platform’s manufacturing installed identity. Software integrity exposes boot integrity measurements that can be used to assess whether the platform has booted trusted code.

During the boot process, the software creates a checksum record of each stage of the bootloader activities.

You can retrieve this record and compare it with a Cisco-certified record to verify if your software image is genuine. If the checksum values do not match, you may be running a software image that is either not certified by Cisco or has been altered by an unauthorized party.


Note


Boot Integrity Visibility is supported only on the active supervisor. It does not support high availability scenarios.


Verifying the Software Image and Hardware

This task describes how to retrieve the checksum record that was created during a router bootup. Enter the following commands in privileged EXEC mode.


Note


On executing the following commands, you might see the message % Please Try After Few Seconds displayed on the CLI. This does not indicate a CLI failure, but indicates setting up of underlying infrastructure required to get the required output. We recommend waiting for a few minutes and then try the command again.


The messages % Error retrieving SUDI certificate and % Error retrieving integrity data signify a real CLI failure.

  1. show platform sudi certificate [ sign [ nonce nonce]]

  2. show platform integrity [ sign [ nonce nonce]]

Verifying Platform Identity and Software Integrity

Verifying Platform Identity

Store-4451# show platform integrity
Platform: ISR4451-X/K9
Boot 0 Version: F01001R06.03c1d3d202013-01-18
Boot 0 Hash: 82597CE130610B8016A6A0FF2851919279857C86966540170E1132C6872A6274
Boot Loader Version: 16.7(4r)
Boot Loader Hash: 5F44054A51B69312283CE03255929D38D938351FDBE7F26A45DCEF6CB7F39C3078C65CB966D71DCF984865D30880AB8D65DD70DB31910B94B0AE290E8DA675E3
OS Version: BLD_V1612_THROTTLE_LATEST_20190517_003908_V16_12_0_127
OS Hashes:
isr4400-universalk9.BLD_V1612_THROTTLE_LATEST_20190517_003908_V16_12_0_127.SSA.bin: 8448067652482B991F562E7CB99FC1B1C1437BA7FC968A22C717AD1B5D36D1EE1331B6CCF5C5427FF9D88847D3B849DF482D92D0F631D00BD9A853C065DABEA1
isr4400-firmware_sm_dsp_sp2700.BLD_V1612_THROTTLE_LATEST_20190517_003908_V16_12_0_127.SSA.pkg: A667AFCD2B9819CE88725B90399131BDA06A0B9BFC0DC4835F02E6EFC23347C717DDB6A4659A8C33692344191931D32407EEAA1604F0C152222DE243D5E21D29
isr4400-firmware_nim_shdsl.BLD_V1612_THROTTLE_LATEST_20190517_003908_V16_12_0_127.SSA.pkg: A6E5D11706801FEF7B87B67B71A591176B05955CBA031EAABA23CC41AC715970819F06BD9A85AF945A338E99400211A5061D919C85FA3EC428457F0E498C06C0
isr4400-firmware_nim_ssd.BLD_V1612_THROTTLE_LATEST_20190517_003908_V16_12_0_127.SSA.pkg: F6F6418037171A6C941830BE8481A768C7CFB205F6A807B0196A54B8A2A607C78E6CA26F34BFEAB0C04D0CCA05A1AA5E8AECB6BC8CF7659E826A2F2DC39888DE
isr4400-firmware_nim_ge.BLD_V1612_THROTTLE_LATEST_20190517_003908_V16_12_0_127.SSA.pkg: 97752B79EB8AE4925B74A94603CE5FEE5BF89994531074C55935BF1C79065C474D21F3CF35A9F755110A6875ED425C0A14CA3400D3FB76C47CBEEA1B2A7E3216
isr4400-firmware_sm_async.BLD_V1612_THROTTLE_LATEST_20190517_003908_V16_12_0_127.SSA.pkg: 0044338EE6A3E8A8AE61DAA599EB9A2A1B1BD78FBCB2880459FCCF9E750FD585239677755CC6ACE4BFDA1CED40A0F63D8A0DF5BAB4DF34DE11D4A42D8FCCFBCC
isr4400-firmware_sm_1t3e3.BLD_V1612_THROTTLE_LATEST_20190517_003908_V16_12_0_127.SSA.pkg: 54DA6469D00FF20596FDAD7A2687ED6424180E73DA95A87848CE61143BAB51011866759B7CD21F4C77BFCB2219ECE6918A5F60F245E68BA2E22DFB3831CB1B2B
isr4400-firmware_dsp_analogbri.BLD_V1612_THROTTLE_LATEST_20190517_003908_V16_12_0_127.SSA.pkg: 9B7B92DBF5B9E2574FC3668A6E2E4F1A0C20D4C895EF99016F51055E56D6195BA41DE31596E8F2D31B5C4B409207F3C04104304E9AEBC4461606B3614CD57F8C
isr4400-firmware_nim_xdsl.BLD_V1612_THROTTLE_LATEST_20190517_003908_V16_12_0_127.SSA.pkg: A2957CD3005499316638B0AE943F77B02882F1B490899EB43E0D052ED57E299AD3FD82D58589AEC97275DB9AB6D12382C99DF41FD3722D40E01AB7E0201B739D
isr4400-firmware_dsp_sp2700.BLD_V1612_THROTTLE_LATEST_20190517_003908_V16_12_0_127.SSA.pkg: 4A6422975EDDBD6367F40A0FB6C20888414BCD2D9C78A615F8C853584CE360079533B63B2AE9D10C1C4BCBE2F46F409525927A416E7275A34B2D513635486F54
isr4400-firmware_ngwic_t1e1.BLD_V1612_THROTTLE_LATEST_20190517_003908_V16_12_0_127.SSA.pkg: 001B48A89716B10B6B506AAF562495DFD67E8DBF5BF4385A870E8A8B08BAB7A4F7D67230084A344AA9E40B037974E425A8CE289CDB47D06FDF759F56B5D30DB6
isr4400-firmware_sm_10g.BLD_V1612_THROTTLE_LATEST_20190517_003908_V16_12_0_127.SSA.pkg: 1B9D88DC2E708015D65A913B42CEF7D42981D2E09EF9B9CEBDC94714F23C6D19D66B9CD5C72F51434A719BDDC640D9F88972BE9CAC742C894A69EBE55694FF67
isr4400-firmware_prince.BLD_V1612_THROTTLE_LATEST_20190517_003908_V16_12_0_127.SSA.pkg: E82220CCB45DD66C2A7A99DEA10758FE5AB8C217624BA623A83D1ADAF87FD08E4FC533C028D8C86B093184479BB064E36DB6255AA15A91381AE287070C1226E4
isr4400-firmware_dreamliner.BLD_V1612_THROTTLE_LATEST_20190517_003908_V16_12_0_127.SSA.pkg: 50AE70E6C115E5339A1299E4ED8C123DE8BBC04CA9A45CA11B716C3013FFDCACD73D53FF043D6EEA36655A56F687247AF2D57176BE2142E0ACC506E64BD2A7DD
isr4400-firmware_nim_bri_st_fw.BLD_V1612_THROTTLE_LATEST_20190517_003908_V16_12_0_127.SSA.pkg: 338BDCB41132394919D045E6B957D485F3ACBD160C7561EEF0A8155036DC695F6300291E1444E240975D9D02B45F4DFD36F36C5973D4DD9091DF6F71D9BB4157
isr4400-firmware_nim_cwan.BLD_V1612_THROTTLE_LATEST_20190517_003908_V16_12_0_127.SSA.pkg: AF6FD9A79D92382994FFA292E3129C47024E907E1AC05E13BA44F519D1B95863E7BC2E0BF9A2DD82D153A0D0159131CE034253ADC8ECA8E4662787834BC8DA5E
isr4400-firmware_nim_async.BLD_V1612_THROTTLE_LATEST_20190517_003908_V16_12_0_127.SSA.pkg: DE69E388865BC5B0144FBC96996F35143CA1E3920D84EDA1D97A08281289575B1FA0664CC7B81FC834B4FFA8C91DCF177CD5CA8323BD078B85374374F63DFD16
isr4400-mono-universalk9.BLD_V1612_THROTTLE_LATEST_20190517_003908_V16_12_0_127.SSA.pkg: 6E9CCDCA9AD205B2713C0097A0B90B95B61FF267E3BC231916E8E1DE1650131F8168188E7F1CEE4F17A412B83C73D890A9EDC0409AB6EBB6F5AA687E043FE154
isr4400-firmware_dsp_tilegx.BLD_V1612_THROTTLE_LATEST_20190517_003908_V16_12_0_127.SSA.pkg: BA452BCB66B279A97519397D6B90C8CF9C4CDF3BF74F41900EEDF0000D711EF03CE62C3B9878C314B5A339C16E0C963FD41C4DE86C3A36BDBD2481C49467B485
PCR0: C0F992411527603FE21E89331F95A1B9427B396C3210CFE47CD75B144A8A950E
PCR8: D767C72CEC698669B4A909423C56CA5527CF232217CF23B503B60D5C89275B20
 

Verifying Software Integrity

The following example displays the checksum record for the boot stages. The hash measurements are displayed for each of the three stages of software successively booted. These hashes can be compared against Cisco-provided reference values. An option to sign the output gives a verifier the ability to ensure the output is genuine and is not altered. A nonce can be provided to protect against replay attacks.

show platform integrity sign nonce 123
Platform: C9300-24U
Boot 0 Version: F01144R16.216e68ad62019-02-13
Boot 0 Hash: 523DD459C650AF0F5AB5396060605E412C1BE99AF51F4FA88AD26049612921FF
Boot Loader Version: System Bootstrap, Version 17.1.1r, RELEASE SOFTWARE (P)
Boot Loader Hash: 34A2070D9EAE97E4FC4315A9BAF0E31FFD285E09F0B7F621955607A0FBC1D134ACC0068D8918F15B01975187458F6A46DF0F3DF9BA1593A3CD7BB4DF12487473
OS Version: BLD_POLARIS_DEV_LATEST_20191023_070152
OS Hashes:
cat9k_iosxe.BLD_POLARIS_DEV_LATEST_20191023_070152.SSA.bin: 8656F31DE26886F555B93258ADA7F354E083F1AFD22E676D3D83E956F6AA3307F9553E0D94FF752BD6E08DED5DAE067528CE44B16F3DD30A9FB4793E38BAE952
cat9k-wlc.BLD_POLARIS_DEV_LATEST_20191023_070152.SSA.pkg: 33DDC53F932C9EC4CED2B402DA600511D2E2C5F4EF8037CE5D7D8E70B7050936D060467E7533FC7064073F6B3D9ED5AE53F756DD3493A38D564E96E7A49E25E5
cat9k-guestshell.BLD_POLARIS_DEV_LATEST_20191023_070152.SSA.pkg: 4F2057EC660DCDE8EAE08CBE932E035338C7DE0A482B12CB443B506EA2298DE3B8EA1F805A28C0BBBFCDA089AE280E6953870161DD5E7F0C16C66A75FEB48546
cat9k-webui.BLD_POLARIS_DEV_LATEST_20191023_070152.SSA.pkg: 45F3315C88E57A45F21A508C3771FADF0C8DB952F8848CA1C81F5588FFE466B9AF96295A8247DEFC47CD26A39D1802F0507109897297A4B5A86EFCADB3CFC261
cat9k-cc_srdriver.BLD_POLARIS_DEV_LATEST_20191023_070152.SSA.pkg: EE6B1B1920145F5C978374ECB8374917E4E2825B059B7C95D409312C2C19271317AB349F775D4E1860DD0B22E2F68A961566A00466259D93323972F98E8B17E9
cat9k-srdriver.BLD_POLARIS_DEV_LATEST_20191023_070152.SSA.pkg: EAF591B3945F14596A8C8AE8022722B6FC2073DFCEC4D24FE2518CAD7338F73A26F4AD29D00602A56E0B8EF6FAA4463239094BA8446D7B074AAF00930253C281
cat9k-sipbase.BLD_POLARIS_DEV_LATEST_20191023_070152.SSA.pkg: 27155ECC5007A7A457C3E32632576132317EBF905972454C0305932B9A97591D37AFFC7AB40EC19E7B82DE042B31078309C38F4B81AA756F8D4180662D10F051
cat9k-sipspa.BLD_POLARIS_DEV_LATEST_20191023_070152.SSA.pkg: EDC255EC04D267055BE433D60F8CB4CCC426773C12442A291B15838E0D742F99CD45FD01B7E03AC139FDCA3143D83630052B45CCCBC834A84778CFEFF938CBC9
cat9k-espbase.BLD_POLARIS_DEV_LATEST_20191023_070152.SSA.pkg: 65B0C8305E572247AAFE188A8C0B5081697CDD60BD8501FC2C88A8101862A63FED8B4AEF276D008F03F28978175FC3C4BF0B8FB3C238CDB619952F46CCF19CF1
cat9k-rpbase.BLD_POLARIS_DEV_LATEST_20191023_070152.SSA.pkg: A297AA546323F63751F1CDA42558975D549E83A8D928A6CAFBD5A77AE19C6645620488E5A40E99FD8BE0F9726B12FF9591D3107825B885C9F7C7244FB31491F9
PCR0: 32E782AF9D75D12AC55BA5F67E9E8F375589CAF9C3558BC90E0EB969A84CDE95
PCR8: F0637823517D08D145F3E4DF207673D194FCB437E8B07170887E7AE279F88178
Signature version: 1
Signature:
BD8D6493B376918C1F47FA1B5FDE7CDD2DF5D51E8DD29D31C4C6744BEF96ECFF797AEFBA2992C404823B3049E8FE81123A6B27374E1D34333418381525653AEF856C976DEEF5C6CB4DA88DEF8EB0BA2E418D4A0725438B57B68477385621358587500C83DAFD7F55DC77A531735CDE95E12667E8F80B3E2A71721E4124A9D7F40085D042F3CA23CE5D91DAED3D590A90950C5227140F2F657E3FE74A6F459B55ABEC8ADCB4A8D18D1B19814BB130512925E64FFB18EB79900C0AB64F2550A7ACAFC4F2F755CA554FC9DEC3067474FF4292489BF0EBCA4E91DA6F5C85DA55B3DE4682EC899D93169FC1C8ADC4744900CEECC29694FC8777BDFF8CA47D1365827C