Configuring Secure Boot

The secure boot function establishes a trust root for the secure boot platform based on device hardware capabilities and initial boot code.

Context

A communication device is composed of multiple embedded computer systems. The software of a device may be attacked by viruses, or may be tampered with or attacked by Trojan horses by means of vulnerabilities.

After the system is upgraded from a version that does not support secure boot to a version that supports secure boot, if secure boot is not enabled on the device, the system prompts users to enable secure boot during their Telnet login.

For details about the boards that support secure boot, contact Huawei engineers for product specifications.

Procedure

  1. Run display boot status

    The status of the secure boot function is displayed.

    If RoT is displayed as -, the device hardware does not support secure boot. If RoT is displayed as Flash/Locked or CPU, the device is in secure boot mode. If RoT is displayed as Flash/Unlocked, the device is not in secure boot mode. In this case, go to the next step.

Verifying the Configuration

  • Run the display boot status command to check the status of the secure boot function.

  • Run the check system-software running command to check whether the basic input/output system (BIOS) of the device is normal.

    To check whether the BIOS SHA256 value in the system software package is the same as that in the flash memory of a board, run the check system-software running command. If the values are the same, the value of result in the command output is PASS. If the values are different, the value of result is FAIL, indicating that the BIOS SHA256 value in the flash memory of the board is tampered with. In this case, you need to further locate the cause. This problem prevents the device from being properly restarted.

Parent Topic: Trusted System Configuration
Copyright © Huawei Technologies Co., Ltd.
Copyright © Huawei Technologies Co., Ltd.
< Previous topic Next topic >