Measured boot and Remote Attestation are supported from 20.3.3 release.
Exploiting an embedded network device by planting the malware in one or more components of boot process is a type of security attack, which can go unnoticed as the malware may behave just like normal firmware.
Measured boot feature supports measuring the boot components and selected (custom) files during run time. Remote Attestation feature authenticates the hardware and software components (i.e., measurements from measured boot) to remote attestation server.
The following command is used to enable measured boot feature in SLX device,
SLX# measured-boot enable
Note
The device must be rebooted for the above CLI to take effect.To support Remote attestation, user must setup (Keylime) registrar server, which is not in the scope of this document (please refer online Keylime server installation guide).
The following commands are used to configure Keylime agent that runs on the SLX device:
SLX(config)# remote-attestation SLX(config-remote-attestation)# registrar-server <registrar-ipaddress>
To start Keylime agent on SLX device execute the below command.
SLX(config-remote-attestation)# agent-enable
Note
Refer Keylime server guides to start remote attestation using keylime-tenant utility.