Users Guide
Version Number : 3 (0x2)
Serial Number : 17154672033164819608 (0xee11a353271dfc98)
Signature Algorithm : sha256WithRSAEncryption
Issuer : C=IN, ST=Some-State, L=some-city, O=Internet Widgits Pty Ltd
Validity : Aug 1 11:45:39 2019 GMT - Jul 31 11:45:39 2020 GMT
Revoke an installed key
If either the public key or private key used in CA certificates is compromised, revoke the key by using the revoke key
command in EXEC mode.
For key-id, enter the local file path where the downloaded or locally generated private key is stored.
OS10# revoke key key-id
The key is moved to the Revoked state.
Recover from image validation failures
This section explains how to recover from image validation failures and provides the recovery steps for the various failure
scenarios.
Secure boot validates both the installed images. If validation fails for one of the images, you can install the other image. If
validation fails for both the images, reinstall the OS10 image from ONIE.
OS10 kernel validation fails for one installed OS10 image
If kernel validation fails, the system enters GRUB mode. To recover from this validation failure:
1. Select the other installed OS10 image from the GRUB menu.
2. Reboot the system using the other installed OS10 image.
3. Replace the invalid OS10 image with a valid image using the image secure-install command.
OS10# image secure-install image://PKGS_OS10-Enterprise-10.4.9999EX.3342stretch-
installer-x86_64.bin pki signature tftp://10.16.127.7/users/PKGS_OS10-
Enterprise-10.4.9999EX.3342stretch-installer-x86_64.bin.sha256.base64 public-key
tftp://10.16.127.7/users/DellOS10.cert.pem
OS10 kernel validation fails for both installed OS10 images
If kernel validation fails for both installed images, the system enters GRUB mode. Use the secure-boot verify kernel
command to check the kernel validation status. To recover from this validation failure:
1. Boot into ONIE.
2. Install a valid OS10 image using the onie-nos-install command. For more information, see Installation using ONIE.
OS10 system binary validation fails for one installed OS10 image
If the system binary validation fails for one of the installed images, you can log into OS10 CLI EXEC mode. You cannot access
CONFIGURATION mode. The following log message appears when you use the show logging log-file command:
Dell EMC (OS10) %SECURE_BOOT: OS10 sytem file integrity failed. OS10 image needs to be
reinstalled.
To recover from this validation failure:
1. Reload the system using the reload command.
2. Select the other installed image from the GRUB menu and load that image.
3. Reboot the system using the other installed OS10 image.
4. Replace the invalid OS10 image with a valid image using the image secure-install command.
OS10# image secure-install image://PKGS_OS10-Enterprise-10.4.9999EX.3342stretch-
installer-x86_64.bin pki signature tftp://10.16.127.7/users/PKGS_OS10-
Enterprise-10.4.9999EX.3342stretch-installer-x86_64.bin.sha256.base64 public-key
tftp://10.16.127.7/users/DellOS10.cert.pem
Security
1355