CommScope RUCKUS Community Forums

Chandini · ‎03-22-2024

Scenario:

When we chose to replace or upgrade the network devices it is also very important to erase the sensitive data from being decoded by a 3rd party.

Secure wipe is one such feature which is introduced from 9010 and above versions which helps you wipe flash memory related contents permanently.

It only erases flash memory and does not erase EEPROM.

During this process except TPM keys, all the files, configurations, licenses, and other keys would be lost.

Difference between factory defaulting and secure wipe procedure used for the ICX switches:

When a switch is factory defaulted, it will restore the switch to its original default settings but does not completely erase the data.

When we factory default the switch, the data can still be recovered if a specialized software is being used by the 3rd party.

Secure wipe is a method were all the data is thoroughly wiped out from the flash memory of the switch.

This process would take about 30 to 40 min to completely wipe out the data from the switch.

Below is how you can wipe the data from the switches completely:

Device#securewipe 7pass

**************************************************************

* SECUREWIPE Alert *

**************************************************************

* Please pay attention to the details listed below *

* 1. U-Boot params will be erased *

* 2. All flash partitions will be erased and loose all files *

* 3. FIPS will be disabled and related keys will be erased *

* 4. License and config files will be erased *

* 5. Only FI image, U-Boot and TPM keys will be restored. *

* 6. All warm memory contents will be erased *

* 7. Device may fail to boot and/or fail to connect cloud if *

* power cycled or power down during secure wipe process *

* 8. Performing secure wipe frequently may reduce the flash *

* life cycle *

**************************************************************

* I have read the alert and SECUREWIPE can be performed now. *

* Please enter 'y' to confirm, 'n' to exit : *

**************************************************************

(enter 'y' or 'n'): y

Device boot source is :1

Current booted partition: Primary, UFI used for secure wipe: Primary

Prerequisite check success,securewipe is processing....

********************************************

PLEASE WAIT SYSTEM WILL GO FOR RESTART....

********************************************

Process that would occur when you run “securewipe 7pass” command.

Secondary flash partition process may take 10 to 15 min.

Checking for secure wipe feature enable status...

******************************************************************

* 7-Pass Secure Wipe enabled, secure erase will be performed now *

* This may take some time, do NOT power down/cycle the device *

* Device will be rebooted automatically after secure erase *

* Interrupting secure wipe process may cause device to fail boot *

******************************************************************

proccessing securewipe for 7 pass

1+0 records in

1+0 records out

#############################

# SESSION START #

#############################

Uboot manager: Requested for command type 0

Platform type: (ICX8150) RODAN

set_uboot_partition:264 CMD: i2cset -y -f 0 0x33 0xe 0x2 1>/dev/null 2>&1

Secondary partition setting success

Erasing 4 Kibyte @ 3ff000 -- 100 % complete

Erasing 4 Kibyte @ 1f000 -- 100 % complete

#############################

# SESSION START #

#############################

Primary flash partition process may take 10 to 15 min.

#############################

# SESSION START #

#############################

Uboot manager: Requested for command type 0

Platform type: (ICX8150) RODAN

set_uboot_partition:264 CMD: i2cset -y -f 0 0x33 0xe 0x1 1>/dev/null 2>&1

Primary partition setting success

Erasing 4 Kibyte @ 3ff000 -- 100 % complete

Erasing 4 Kibyte @ 1f000 -- 100 % complete

#############################

# SESSION START #

#############################

Boot partition process may take 10 to 15 min.

Allocating group tables: done

Writing inode tables: done

Creating journal (4096 blocks): done

Writing superblocks and filesystem accounting information: done

securewipe started for fastiron partition

mke2fs 1.43.4 (31-Jan-2017)

Discarding device blocks: done

Creating filesystem with 655360 4k blocks and 164160 inodes

Filesystem UUID: 2408ba58-7247-4cf0-ab4d-9e929399849a

Superblock backups stored on blocks:

32768, 98304, 163840, 229376, 294912

Allocating group tables: done

Writing inode tables: done

Creating journal (16384 blocks): done

Writing superblocks and filesystem accounting information: done

securewipe started for boot partition

mke2fs 1.43.4 (31-Jan-2017)

Discarding device blocks: done

Creating filesystem with 131072 4k blocks and 32768 inodes

Filesystem UUID: b3a7ad8e-7514-47c3-8403-f51d8a280153

Superblock backups stored on blocks:

32768, 98304

Allocating group tables: done

Writing inode tables: done

Creating journal (4096 blocks): done

Writing superblocks and filesystem accounting information: done

securewipe started for warm memory

securewipe done for warm memory

securewipe 7 pass completed

EEPROM Write Protect disable success

EEPROM Write success

EEPROM Write Protect enable success

INIT: Sending processes the TERM signal

Chandini · ‎03-22-2024

Continued.....

Differences with files and data noticed in the switch:

Before running the secure wipe command:

show flash

Stack unit 1:

Compressed Pri Code size = 129689292, Version:10.0.10bT253 (RDR10010b.bin)

Compressed Sec Code size = 129689292, Version:10.0.10bT253 (RDR10010b.bin)

Compressed Pri Boot Code size = 2097664, Version:10.2.04T255 (rdu1024)

Compressed Sec Boot Code size = 2097664, Version:10.2.04T255 (rdu1024)

Golden Image UFI size = 102078998, Version:10.0.00T4 (RDR10000.bin)

Code Flash Free Space = 1954881536

Device# show files

Type Size Name

----------------------

F 129689292 primary

F 129689292 secondary

F 2834 startup-config.backup

F 131072 uboot_cfg_param.cfg

F 256 primary.sig

F 569 $$sshd_rsa_host.key.pub

F 26 conf_archive.profile

F 0 icx_dhcp_snoop.db

F 164 startup-config-checksum.txt

F 610 $$sshd_ecdsa_host.key

F 221 $$sshd_ecdsa_host.key.pub

F 256 secondary.sig

F 2602 $$sshd_rsa_host.key

F 162204 poe-fw-pd69200

F 162207 poe-fw-pd69220

F 918 tpm2_verify.txt

F 656 dhclientv4.leases

F 2863 startup-config.txt

F 265728 poe-fw-msp430

Device# show license installed

Unit License Name L3 Prem PoD Speed Ports MACsec SerialNo(L3/ICX8200) SerialNo(PoD/MACsec)

1 2X10GR Yes Yes 10G 2 NA NA

After running the secure wipe command:

ICX8200-C08PF Router# show flash

Stack unit 1:

Compressed Pri Code size = 129689292, Version:10.0.10bT253 (RDR10010b.bin)

Compressed Sec Code size = 129689292, Version:10.0.10bT253 (RDR10010b.bin)

Compressed Pri Boot Code size = 2097664, Version:10.2.04T255 (rdu1024)

Compressed Sec Boot Code size = 2097664, Version:10.2.04T255 (rdu1024)

Golden Image UFI size = 102078998, Version:10.0.00T4 (RDR10000.bin)

Code Flash Free Space = 2015264768

ICX8200-C08PF Router#show files

Type Size Name

----------------------

F 129689292 primary

F 129689292 secondary

F 162204 poe-fw-pd69200

F 610 $$sshd_ecdsa_host.key

F 131072 uboot_cfg_param.cfg

F 26 conf_archive.profile

F 162207 poe-fw-pd69220

F 221 $$sshd_ecdsa_host.key.pub

F 2602 $$sshd_rsa_host.key

F 265728 poe-fw-msp430

F 569 $$sshd_rsa_host.key.pub

ICX8200-C08PF Router# show license installed

Unit License Name L3 Prem PoD Speed Ports MACsec SerialNo(L3/ICX8200) SerialNo(PoD/MACsec)

1 2X10G No Yes 25G 2 NA NA

Reference links:

https://docs.commscope.com/bundle/fastiron-10010-managementguide/page/GUID-176B4EB4-1849-4440-8AEC-A...

CommScope RUCKUS Community Forums

How to permanently remove memory data from the switch to safeguard sensitive data