Users Guide

Table Of Contents
PKGS_OS10-Enterprise-10.4.9999EX.3342stretch-installer-x86_64.bin.sha256.base64PKI signature of the OS10 image
binary
PKGS_OS10-Enterprise-10.4.9999EX.3342stretch-installer-x86_64.bin.sha256The sha256 hash of the OS10 image binary
PKGS_OS10-Enterprise-10.4.9999EX.3342stretch-installer-x86_64.bin.gpgGNU privacy guard (GnuPG or GPG) signature
of the OS10 image binary
DellOS10.cert.pemDell public key certificate
Validate the OS10 kernel, system binaries, and startup configuration file
You can validate the OS10 kernel binary image, system binary files, and startup configuration file at system startup and CLI
execution using the secure-boot verify command in EXEC mode.
OS10# secure-boot verify {kernel | file-system-integrity | startup-config}
Enable secure boot in BIOS
Refer Z9432F-ON platform installation guide to enable secure boot in BIOS.
NOTE:
When OS10 boot up fails due to BIOS secure boot validation failure, reinstall OS10 from ONIE. Refer Installation Using
ONIE for the steps to install.
BIOS Secure is supported only in Z9432F-ON platform.
On some switches, secure boot is enabled by default in the BIOS.
ZTD and secure boot
When you enable secure boot in the BIOS, the BIOS validates the NOS boot loader during boot.
The OS10 images (from 10.5.2) that support BIOS secure boot sign the boot loader (OS10 GRUB) with the DELL standard PKI
key and the corresponding public key is loaded in the BIOS during manufacturing. When the secure boot is enabled in BIOS, you
cannot use ZTD to install any third-party NOS image that does not support the secure boot feature. In such cases, manually
disable the feature in the BIOS using the BIOS UI to install third-party NOS images that does not support the secure boot
feature.
Validate and upgrade OS10 image
You can validate and upgrade the OS10 installer image files with digital signatures using the image secure-install
command in EXEC mode.
OS10# image secure-install image-filepath {sha256 signature signature-filepath | gpg
signature signature-filepath | pki signature signature-filepath public-key key-file}
The OS10 image installer verifies the signature of the image files using hash-based authentication, GNU privacy guard (Gn
uPG or GPG)-based signatures, or digital signatures (PKI-signed). Upgraded image files are installed after they are successfully
validated.
NOTE:
When secure boot is enabled and you install an OS10 image upgrade, the image install command is disabled. Use
the image secure-install command instead. For more information, see Install OS10 upgrade.
If secure boot is not enabled, you can validate an OS10 image using PKI after you manually install the image by using the
image verify command. PKI image validation occurs only once during the installation, not during each reload. After
you manually install the image using the image install command, the image is extracted. The original binary image is
not stored in the system.
Security 1333