Dell Networking - Sonic OS UEFI Secure Boot.
Summary: Selected Dell PowerSwitch platforms include a Trusted Platform Module {TPM} that provides hardware-based encryption services to applications, such as UEFI Secure Boot. UEFI Secure Boot is a component of the BIOS that verifies and ensures the file integrity of the network operating system {NOS} to boot. The Dell PowerSwitch includes TPM and has UEFI Secure Boot enabled by default in the BIOS to allow only signed NOSs to be installed successfully. ...
Instructions
Enterprise SONiC 4.2.0 and later releases support UEFI Secure Boot on the following platforms:
- Z9864F-ON
- Z9664F-ON
- Z9432F-ON
- S5448F-ON
- S4348F-ON
- S4348T-ON
On these platforms, by default, UEFI Secure Boot is enabled. If you have disabled UEFI Secure Boot previously, to use Secure Boot, use the following procedure to enable it:
To check if your device supports secure boot or enabled, use the following command:
On a platform that does not support Secure Boot:
sonic# show platform sbstatus
SecureBoot is not supported on this system
On a platform that supports Secure Boot:
sonic# show platform sbstatus
SecureBoot is Disabled
Prerequisites to use secure boot
- Enable the Secure Boot in the BIOS firmware.
- If you are already running Enterprise SONiC 4.1.x or a previous version and would like to use the Secure Boot feature in the 4.2.0 or a later release, Install Enterprise SONiC only using the ONIE.
- The file names of the image and the signature file are the same.
Enable UEFI Secure Boot.
CAUTION: Before entering BIOS to enable Secure Boot, backup your existing configuration file.To enable UEFI Secure Boot in the BIOS firmware:
- Attach a console to the serial port on the switch.
- Power cycle the switch.
- After the POWER-ON tests finish, press DEL or F2 when prompted to enter the BIOS menu. If prompted for a password, enter the service tag of the switch followed by an exclamation sign (!); for example: G0K8PK2!
- When the BIOS menu is displayed, open the Security tab, select Enable Secure Boot, and press Enter and select Enabled.
- Press F4 to save the change, exit the BIOS menu, and reboot the switch.
Figure 1. Enable secure Boot in the BIOS menu.
If you do not want to use Secure Boot.
If you do not want to use UEFI Secure Boot, or if you use Enterprise SONiC 4.1.x or a previous version, disable UEFI Secure Boot to install or boot Enterprise SONiC on TPM-enabled switches, such as the Z9864F-ON, Z9432F-ON, Z9664F-ON, and S5448F-ON.
Error messages
ONIE:~ # onie-nos-install http://ip-address/tftpboot/SONIC/dell_sonic/Enterprise_SONiC_OS_4.5.1_Enterprise_Premium.bin
discover: Rescue mode detected. No discover stopped.
Connecting to ip-address
installer 100% |*******************************| 937M 0:00:00 ETA
ONIE: Executing installer: http://ip-address/tftpboot/SONIC/dell_sonic/Enterprise_SONiC_OS_4.5.1_Enterprise_Premium.bin
Failure: sig file is not found
ONIE:~ #Version 2.19.1266. Copyright (C) 2018 American Megatrends, Inc.
BIOS Date: 12/05/2018 22:05:29 Ver: 0ACHI032
Press <DEL> or <F2> to enter setup.
Entering Setup...Figure 2. Secure Boot error message.
Disable UEFI Secure Boot.
To disable UEFI Secure Boot in the BIOS firmware:
- Attach a console to the serial port on the switch.
- Power cycle the switch.
- After the POWER-ON tests finish, press DEL or F2 when prompted to enter the BIOS menu. If prompted for a password, enter the service tag of the switch followed by an exclamation sign (!); for example: G0K8PK2!
- When the BIOS menu is displayed, open the Security tab, select Enable Secure Boot, and press Enter to disable UEFI Secure Boot.
Figure 3. BIOS menu.
Press F4 to save the change, exit the BIOS menu, and reboot the switch.