Published On: July 14ᵗʰ, 2021 08:10

System Management Configuration Guide, Cisco IOS XE Amsterdam 17.3.x (Catalyst 9500 Switches)

Contents

Introduction to BIOS Protection

BIOS protection feature enables write-protection and secure upgrade of the golden ROMMON image. ROMMON is a bootstrap program that initializes the hardware and boots the Cisco IOS XE software image when you power on or restart the device. ROMMON upgrades can be required to resolve firmware defects or to support new features. Typically, ROM Monitor upgrades are infrequent and not required for every Cisco IOS XE software upgrade.

Without BIOS protection feature, golden ROMMON may be corrupted by malicious code during software upgrades.

ROMMON Upgrade

ROMMON images are stored on the SPI flash device as primary ROMMON and golden ROMMON. Primary ROMMON boots every time the device is powered on or restarted. If the primary ROMMON gets corrupted, the device uses the golden ROMMON to boot the IOS XE software image. When the device boots from the primary ROMMON, golden ROMMON is locked. With BIOS protection, golden ROMMON is made write-protected and cannot be upgraded using the flash utility upgrade mechanism. Access policies are governed by the FPGA firmware. FPGA blocks the disallowed operations such as write, erase etc on the golden ROMMON SPI flash device.


Note

Golden ROMMON upgrade is not enabled without secure-boot FPGA upgrade.


  • Primary FPGA and golden FPGA (secure-boot FPGA) is automatically upgraded when the device boots.

  • On the C9500-12Q, C9500-16X, C9500-24Q, C9500-40X models of the series, you must manually upgrade the ROMMON in the primary SPI flash device, if a new version is applicable, and the release you are upgrading from is Cisco IOS XE Gibraltar 16.12.1 or a later release. (So if you upgrade from Cisco IOS XE Gibraltar 16.11.1 for example, a manual upgrade does not apply; the ROMMON is automatically updated, if applicable). Enter the upgrade rom-monitor capsule primary switch command in privileged EXEC mode.

  • On the C9500-24Y4C, C9500-32C, C9500-32QC, and C9500-48Y4C models of the series, primary ROMMON is upgraded automatically. When you upgrade from an existing release on your switch to a later or newer release for the first time, and there is a new ROMMON version in the new release, the system automatically upgrades the ROMMON in the primary SPI flash device, based on the hardware version of the switch when you boot up your switch with the new image for the first time.

  • Golden ROMMON can be upgraded using the capsule upgrade. Enter the upgrade rom-monitor capsule golden switch command in privileged EXEC mode.

The upgrade process varies between standalone and high availability systems and is explained below.

Standalone Systems

For a standalone device, when your upgrade the device in install mode, the primary ROMMON is automatically upgraded when the device boots. Golden ROMMON can be upgraded using the capsule upgrade.

High Availability and StackWise Virtual Systems

We recommend that you perfom In-Service-Software-Upgrade (ISSU) for devices in a high availability setup. FPGA upgrades occur as part of ISSU.

If you are performing the upgrade in install mode with reload, do not reload both the supervisors at the same time. With the standby supervisor in ROMMON state, boot the active supervisor. When ROMMON upgrade is completed on each supervisor, FPGA and software image is upgraded.

Boot the standby supervisor and allow the standby supervisor to upgrade and reach standby hot state.

Capsule Upgrade

In a capsule upgrade, a secure update capsule is created and signed which is used by the primary ROMMON after authentication for upgrading the golden ROMMON. The secure update capsule requires a secure flash certificate. Secure flash certificate is created using the product key and added to the primary ROMMON image to verify the authenticity of the update capsule. A capsule is now created using the secure flash certificate and a secure boot 16 MB flash image and signed.

When the device boots, the primary ROMMON triggers the capsule upgrade for the golden ROMMON. To perform capsule upgrade for the golden ROMMON, use the upgrade rom-monitor capsule golden switch command in privileged EXEC mode.

The following processes occur in a capsule upgrade:

  • The device checks if secure-boot FPGA upgrade is enabled. If not, the process exits.

  • The device checks if bootloader protection is enabled. If not, a one-time upgrade of primary ROMMON, golden ROMMON, and primary FPGA is initiated.

  • If bootloader protection is already active, IOS copies the secure update capsule to bootflash and the device reboots.

  • When the device reboots, secure update capsule is picked for performing the upgrade.

Feature History for BIOS Protection

This table provides release and related information for features explained in this module.

These features are available on all releases subsequent to the one they were introduced in, unless noted otherwise.

Release

Feature

Feature Information

Cisco IOS XE Gibraltar 16.12.1

BIOS Protection

BIOS Protection feature enables write-protection and secure upgrade of the golden ROMMON image.

Cisco IOS XE Amsterdam 17.1.1

Capsule Upgrade

Support for capsule upgrade for golden ROMMON using upgrade rom-monitor capsule switch active command was enabled.

Use Cisco Feature Navigator to find information about platform and software image support. To access Cisco Feature Navigator, go to http://www.cisco.com/go/cfn.