Users Guide
boot operation using the show secure-boot status and show secure boot file-integrity-status commands.
The show command output displays the combined status of various secure boot features, including:
● Was secure boot used for the last reboot?
● Is secure boot enabled?
● Is the startup configuration protected?
● Were any OS10 binary files added, modified, or deleted?
OS10# show secure-boot status
Last boot was via secure boot : yes
Secure boot configured : yes
Latest startup config protected: yes
OS10# show secure-boot file-integrity-status
File Integrity Status: OK
Protect the startup configuration file
Protecting the startup configuration file saves a copy of the current startup configuration file internally. During switch boot up,
the protected version of the startup configuration is loaded.
If you make OS10 configuration changes and save them to the startup configuration, protect the current startup configuration
file by using the secureboot protect startup-config command. This command is supported in the sysadmin,
secadmin, and netadmin roles.
When you enable secure boot and you try to save configuration changes using the write memory command, a warning
message prompts you to first protect the startup configuration file:
Configuration has changed and secure boot is enabled. The protection of the
configuration needs to be updated prior to reboot.
If you reboot the system using the reload command and either the startup configuration is not protected or there are unsaved
changes in the protected startup configuration, the warning message is displayed. The system reboot is not performed until you
protect the current startup configuration file using the secureboot protect startup-config command.
If you reboot the system using a non-CLI method, such as power cycling, the last protected startup configuration is loaded. Any
unsaved changes to the current startup configuration are lost. If the startup configuration is not protected, the default startup
configuration settings are loaded.
Use the secure-boot verify startup configuration command to check if the current configuration is protected.
secure-boot verify startup-config
Validate OS10 image file on demand
You can validate an OS10 image file at any time using the image verify command in EXEC mode.
OS10 verifies the signature of the image files using hash-based authentication, GNU privacy guard (Gn uPG or GPG)-based
signatures, or digital signatures (PKI-signed).
image verify image://PKGS_OS10-Enterprise-10.4.9999EX.3342stretch-installer-x86_64.bin
pki signature tftp://10.16.127.7/users/PKGS_OS10-Enterprise-10.4.9999EX.3342stretch-
installer-x86_64.bin.sha256.base64 public-key tftp://10.16.127.7/users/DellOS10.cert.pem
The image package that is verified consists of:
● PKGS_OS10-Enterprise-10.4.9999EX.3342stretch-installer-x86_64.bin—OS10 image binary
● PKGS_OS10-Enterprise-10.4.9999EX.3342stretch-installer-x86_64.bin.sha256.base64—PKI signature of the OS10 image
binary
● PKGS_OS10-Enterprise-10.4.9999EX.3342stretch-installer-x86_64.bin.sha256—The sha256 hash of the OS10 image binary
● PKGS_OS10-Enterprise-10.4.9999EX.3342stretch-installer-x86_64.bin.gpg—GNU privacy guard (GnuPG or GPG) signature
of the OS10 image binary
● DellOS10.cert.pem—Dell public key certificate
Security
1353