Coder Social home page Coder Social logo

verifybiv-tool's Introduction

VerifyBIV

Description:

Some Cisco products take measurements of the code executed as they boot up. These measurements are recorded in a hardware Trust Anchor Module, and can be subsequently retrieved in a cryptographically-signed report. This script analyzes the Boot Integrity report to validate its authenticity and to confirm that the report data has not been tampered.

The script takes the signed output from the IOS CLI commands

show platform integrity signed nonce <int>

and

show platform sudi certificate signed nonce <int>

from supported network devices and verifies the integrity of the respective command output using the device specific SUDI certificate from the latter command.

Supported platforms and releases (subject to change):

|  Cisco Platform        | Minimum Software  |  Minimum ROMMON/Bootloader |
|  --------------------- | ----------------- | -------------------------- |
|  ISR44xx, ISR443xx     | 16.2.1            | 16.2(1r)                   |
|  ISR 4221              | 16.4.1            | N/A (bundled in software)  |
|  ASR1001-hx, ASR1001-x | 16.3.2            | 16.3(2r)                   |
|  ASR1002-hx, RP3       | 16.3.2            | 16.3(2r)                   |
|  Select Catalyst 3650  | 16.3.2            | 4.26                       |
|  Select Catalyst 3850  | 16.3.2            | 4.28                       |

The purpose of this script is for localized verification of a small number of devices in lieu of utilizing a network management system to perform the same verification across a large number of network devices.

This script is written in Python 2.7. It is intended to run independently of other tools.

Status:

Initial release.

Dependencies

VerifyBIV requires two open source packages:

pycrypto http://www.pycrypto.org/

Use pip:

pip install pycrypto

NOTE: On Windows, change pycrypto's folder name from crypto to Crypto.

docopt http://docopt.org/

Use pip:

pip install docopt

Installation

VerifyBIV is ready to run after download. Mark the VerifyBIV.py file as executable to run it in a Linux environment. Also if necessary modify the #! line at the beginning of this file to the path of a python2.7 interpreter.

Usage

Usage:
 VerifyBIV.py -s SUDI_FILE [-i SPI_FILE]
 VerifyBIV.py -h | --help
 VerifyBIV.py --version

Options:
 -h, --help                         Show this help message.
 --version                          Show version.
 -s SUDI_FILE, --sudi SUDI_FILE     Verify identity using file containing
                                    output of
                                    "show platform sudi certificate sign nonce XXXXX"
                                    including the cli cmd on the first line.
 -i SPI_FILE, --integrity SPI_FILE  Verify integrity using file containing
                                    output of
                                    "show platform integrity sign nonce XXXXX"
                                    including the cli cmd on the first line.

NOTE: Minimum 100 character width console recommended

Example SUDI_FILE provided: sudi_example.txt

Example SPI_FILE provided: spi_example.txt

How to test the software

Use the included sample files to verify operation.

Example CLI operation:

$ VerifyBIV.py -s sudi_example.txt -i spi_example.txt

Gathering identity info...

   Nonce:               123
   Certificates Found:  3
   Signature Version:   1
   Signature:
        7BADC9C17EE606E584F6B3B9C957DBC98EBDBBE9BEFB1A9FCD8B6E084C2C41C5
        6F3B29E73FF9459BF5169DF9628F72E58C06FF44D2F3BEEB66FA40F09498FFBA
        B299739537C360D5D11ADB273DD275679D194FC0B31A9E169C6C99BD89A2833B
        FF7A41CF65A2572C6BFC120349C8A25C5A519AF14A3BAC0ABAF3FB477C01ABB2
        01FE342234B3E18EDE478A2D278B1AE218CE0AC191A09D592913F76A915E4D37
        68AD58E5E8179F8ADA7F4C9DC9019E65E4AD918670462D38FDAF5541543FF2DF
        89A2E33FB80FD19AF4BFB0FF1F5B1DA3012CB0F3E20D73D96474782346BAD7A4
        DE13114BE3AE6C5E60E76B1B99D59E7E947276A7BA2AEB6CD785C394EF44B8EA

Verifying platform identity signature...

   Platform identity verification:              SUCCESSFUL 


Gathering integrity info...

   Nonce:       123
   PCR0:        36E1A27DC9115FD08165710F6715AB345B9337A2B329E303A4C869F72EC81C33
   PCR8:        44F9646B04860009FC45105F816FE01DC39C7DB29401A158B13FECB26749F470
   Signature Version:   1
   Signature:
        18992E8DC490E8A932F152FD981A8AF1F95B69C8A1C531F5E14EB52CBDD720B8
        34E6F1B64AB38FEB3B2FB5E20407B16699E3E4E2F1E9BF7160B3E92A95E2F375
        9CFE02101C9EE8D508CF178D10FA2121BEC78349BD9D58EE0CBC72FE3F7A9359
        9828A9DDDE3B0C7F3B1DDB9982883D13729B92BA312EF6F107DF7D40F3BE239A
        C203DF64E17AC80ADE62A3D33301D57EE03ED83067BEBEA44B82E9CF5F5587B2
        DEE28C07898E5F3110816E2281B3FE8ACBEA2BEEB718F2F5CE0A36802F456CDF
        D905275FBC89F2A5EE9CC849E825EE8D799B690EACC1BA7A631B8266FC237CE4
        8BE2809C2FC0D1727DB73D8D68956180822440F74C7F6FBAB29BF45FA820FE5C

Verifying platform integrity signature...

   Platform integrity verification:     SUCCESSFUL

Known issues

Certificate validation

The chain of certificates within the device show platform sudi certificate PEM stack output can be validated with openssl or a similar tool against the appropriate Cisco CA certificates available at the Cisco PKI Index

There is a convenience script in the device_validation subdirectory for validating the SUDI Certificate Chain, the SUDI Serial Number, and the Proof of Possession for the device private key. See the corresponding README file for details.

Getting help

Mailing list for questions about this script: verifybiv-tool AT ciscoDOTcom.

Cisco Community forum coming soon.

Getting involved

This script is provided as a reference for how to perform verification of signed BIV command output. The intent is for others to explore the BIV feature on supported network devices and adapt this verification method to their needs.

Open source licensing info

LICENSE

Credits and References

Information about Boot Integrity Visibility

Trust Center - Cisco

verifybiv-tool's People

Contributors

dcg-csc avatar jaaston avatar

Stargazers

avatar avatar

Watchers

avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar

Forkers

jaaston rymcmaho oppecker doppecke

Recommend Projects

  • React photo React

    A declarative, efficient, and flexible JavaScript library for building user interfaces.

  • Vue.js photo Vue.js

    ๐Ÿ–– Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.

  • Typescript photo Typescript

    TypeScript is a superset of JavaScript that compiles to clean JavaScript output.

  • TensorFlow photo TensorFlow

    An Open Source Machine Learning Framework for Everyone

  • Django photo Django

    The Web framework for perfectionists with deadlines.

  • D3 photo D3

    Bring data to life with SVG, Canvas and HTML. ๐Ÿ“Š๐Ÿ“ˆ๐ŸŽ‰

Recommend Topics

  • javascript

    JavaScript (JS) is a lightweight interpreted programming language with first-class functions.

  • web

    Some thing interesting about web. New door for the world.

  • server

    A server is a program made to process requests and deliver data to clients.

  • Machine learning

    Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.

  • Game

    Some thing interesting about game, make everyone happy.

Recommend Org

  • Facebook photo Facebook

    We are working to build community through open source technology. NB: members must have two-factor auth.

  • Microsoft photo Microsoft

    Open source projects and samples from Microsoft.

  • Google photo Google

    Google โค๏ธ Open Source for everyone.

  • D3 photo D3

    Data-Driven Documents codes.