Networking / Communications

Protect Your Network with Secure Boot in SONiC

NVIDIA technology helps organizations build and maintain secure, scalable, and high-performance network infrastructure. Advances in AI, with NVIDIA at the forefront, contribute every day to security advances. One way NVIDIA has taken a more direct approach to network security is through a secure network operating system (NOS).

A secure network operating system (NOS) is a specialized type of NOS focused on robust security features to protect network infrastructure from a wide range of threats. 

Different systems offer various security features. Some provide built-in firewalls, VPNs, or monitoring tools. Some offer advanced threat detection and response features. Some offer hardened security at the boot level, preventing attacks before the operating system even loads. One of these features is called Secure Boot.

Secure Boot

NVIDIA is increasingly supporting the security standard Secure Boot in more platforms. Secure Boot is a security UEFI (Unified Extensible Firmware Interface) feature that aims to protect against unauthorized firmware or software from running during the boot process and during firmware updates. NVIDIA Spectrum-4 switches and NVIDIA BlueField-2 DPUs and up now fully support UEFI Secure Boot.

Unsigned or improperly signed code is prevented from executing at the boot level, preventing rootkits, bootkits, firmware attacks, and other malicious activity being loaded before the OS or security mechanisms are initialized, where an attacker could potentially gain full control of the core system. Gaining such a level of access allows an attacker to do almost anything. 

Secure Boot also significantly raises the barrier for attackers attempting to exploit physical access to devices. Even if an attacker can physically access the device, they cannot alter the boot components without the proper keys, protecting against tangible modifications such as replacing CPUs or hard drives.

Secure Boot works by establishing a “chain of trust” starting from the hardware level and extending through the firmware and bootloader. Each component in the boot process verifies the next, and must be signed and checked before execution. If the signatures are valid and match known trusted keys, the system proceeds with the boot process. Otherwise, all unsigned code will be rejected by firmware and the system either halts or provides a warning. This includes an attacker attempting to install their own operating system outright.

Secure Boot in the SONiC network operating system

Secure Boot is supported within SONiC (Software for Open Networking in the Cloud), the Linux-based, open-source, hardware-agnostic network operating system. NVIDIA is the second-largest contributor to the SONiC project, behind only Microsoft, and supports SONiC in many ways. Learn more about NVIDIA and SONiC.

The big advantage of SONiC Secure Boot functionality over other systems is autonomy. Being open-source, SONiC enables customizable boot processes, unlike many traditional or proprietary systems, where you are only able to modify so much if at all. 

Running SONiC is not dependent on any vendors as signing entities. You’re free to sign your image with your own private keys, so you know only the firmware you explicitly authorize can be installed. This also adds an extra layer against vendor lock-in. You can design your distribution to only run with certain vendors or boxes, applying one more knowledge barrier for an attacker to cross, as many boxes often require proprietary or special knowledge to access and use. 

Figure 1 shows the high-level architecture flow design for Secure Boot in SONiC. The production sign process works slightly differently from development, in which components are signed in an external signing server rather than within its own. An external signing server provides an isolated environment for extra security, scalability in large environments and controlled updates and management. At runtime, boot components are verified throughout the process.  

This diagram shows the high-level development and production signing flow during the build process, and runtime flow when the system is booted.
Figure 1. Flow of the SONiC build signing process

Read more about how Secure Boot works in SONiC and how to implement it.

Get started securing your boxes

NVIDIA strongly recommends using UEFI secure boot in any case due the increased security it enables. Reach out to your NVIDIA sales representative or NVIDIA Networking Support for more information about how to implement Secure Boot. 

To learn more, check out the following resources:

Discuss (0)

Tags