Secure Boot

Secure Boot is a mechanism to ensure the integrity of firmware and software running on a hardware platform by establishing a chain-of-trust relationship in the boot process. The chain-of-trust is established by cryptographic checks at each stage of the boot process to validate the integrity and authenticity of the next stage before it can execute.

The first link in the chain-of-trust is called the “Hardware Root of Trust” (HWROT), which is always trusted and protected against any alterations once programmed. For this version of Secure Boot, the chain-of-trust is established between HWROT, bootloader(s) (ARM systems)/BIOS (X86 systems). The HWROT comprises hardware components ASP NOR Flash, TPM, the firmware ‘Secondary Program Loader‘ (SPL), and the recovery bootloader.

If the UBOOT image verification fails during boot-up, the switch halts and enters the recovery bootloader.

Supported Platforms

ExtremeSwitching 5420, 5520, and 5720 series switches.

Verifying Secure Boot

The following two commands show you the Secure Boot status in the Trusted Delivery field:

show switch {detail}

show system

The Trusted Delivery field has the following states:
  • Boot Image Verification Failed
  • Boot Image Verified