close

keyboard_arrow_left

Table of Contents Expand all

play_arrow Junos OS Overview
- play_arrow Junos OS Overview
  - Junos OS Overview
play_arrow Install, Upgrade, or Downgrade for Junos OS Software
- play_arrow Junos OS Install and Upgrade Overview
  - Junos OS Installation and Upgrade Overview
  - Storage Media and Routing Engines (Junos OS)
- play_arrow Prepare for Installation and Upgrade
- play_arrow Upgrade to Junos OS with Upgraded FreeBSD
  - Upgrading and Downgrading to Junos with Upgraded FreeBSD
- play_arrow Install Software on Routers
- play_arrow Install Software on Switches
- play_arrow Install Software on Firewalls
- play_arrow Manage YANG Packages During an Upgrade or Downgrade
  - Managing YANG Packages and Configurations During a Software Upgrade or Downgrade
play_arrow System Backup and Recovery
- play_arrow Back Up an Installation
  - Backing Up an Installation Using Snapshots (Junos OS)
- play_arrow Recover Junos OS
play_arrow Installation, Upgrade, and Downgrade VM Host Software, and Back Up and Recovery of VM Host Devices
- play_arrow VM Host Overview and CLI Commands
  - VM Host Overview (Junos OS)
  - VM Host Operations and Management
- play_arrow Boot Process for Routers with VM Host Support
  - Boot Process for Routers with VM Host Support
- play_arrow Installing, Upgrading, Backing Up, and Recovery of VM Host
  - Installing, Upgrading, Backing Up, and Recovery of VM Host
- play_arrow Copying VM Host Installation Package to the PXE Boot Server
  - Copying VM Host Installation Package to the PXE Boot Server
- play_arrow Upgrading NFX Devices
- play_arrow Creating an Emergency Boot Device for Routing Engines with VM Host Support
  - Creating an Emergency Boot Device for Routing Engines with VM Host Support
- play_arrow Upgrading Firmware on Routing Engines with VM Host Support
  - Upgrading the SSD Firmware on Routing Engines with VM Host Support
  - Upgrading the i40e NVM Firmware on Routing Engines with VM Host Support
- play_arrow Disabling Autorecovery on Routing Engines with VM Host Support
  - Disabling Autorecovery on Routing Engines with VM Host Support
play_arrow Installing and Upgrading the BIOS and Firmware
- play_arrow For Routers
  - Installing and Upgrading Firmware
- play_arrow For Switches
- play_arrow For Firewalls
  - Upgrading BIOS and Firmware (SRX only)
  - Upgrading 5.1KW HVAC/HVDC Single and Dual Input PSM Firmware (SRX5800)
play_arrow Zero Touch Provisioning and Secure Zero Touch Provisioning
play_arrow Phone-Home Client
- play_arrow Phone-Home Client
play_arrow Automatic Installation of Configuration Files
- play_arrow Automatic Installation of Configuration Files
play_arrow Configuration Statements and Operational Commands
- play_arrow Configuration Statements and Operational Commands
  - Junos CLI Reference Overview

list Table of Contents

English

Veriexec File-Signing and Verification for Junos OS

date_range 25-Mar-25

arrow_backward

arrow_forward

Learn about Veriexec file-signing and verification, It's benefits and how to use it on SRX Series Firewall.

Verified Exec (also known as veriexec) is a file-signing and verification scheme that protects the Junos operating system (OS) against unauthorized software and activity that might compromise the integrity of your device. Originally developed for the NetBSD OS, veriexec was adapted for Junos OS and enabled by default.

Authorized files, that is certain files that ship with Junos OS, have an associated fingerprint that veriexec checks to determine whether the file can be used (executed, or even opened). Any file which lacks a valid fingerprint cannot be executed or read by applications that require verified input.

The/bin/sh does not require verified input. It can be used to run arbitrary scripts because from a risk perspective, they are the same as interactive commands, which is already controlled through user authentication and permissions. However, if a verified shell script contains instructions to run an arbitrary script, that is, a file that does not have a signature in the manifest, execution of that file will be prevented.

How Veriexec Works

Veriexec provides the kernel with a digitally signed manifest consisting of a set of fingerprints for all the executables and other files that should remain immutable. The veriexec loader feeds the contents of the manifest to the kernel only if the digital signature of the manifest is successfully verified. The kernel can then verify if a file matches its fingerprint. If veriexec is being enforced, only executables with a verified fingerprint will run. The protected files cannot be written to, modified, or changed.

Each install image contains a manifest. The manifest is read-only. It contains entries such as the following:

content_copy zoom_out_map
etc/rc sha1=478eeda6750c455fbfc18eeb06093e32a341911b uid=0 gid=0 mode=644
etc/rc.verify sha1=15566bb2731abee890fabd0ae8799e02071e006c uid=0 gid=0 mode=644

usr/libexec/veriexec-ext.so.1 sha1=8929292d008d12cd5beb2b9d9537458d4974dd22 uid=0 gid=0 mode=550 no_fips

sbin/verify-sig sha1=cd3ffd45f30f1f9441e1d4a366955d8e2c284834 uid=0 gid=0 mode=555 no_ptrace
sbin/veriexec sha1=7b40c1eae9658f4a450eb1aa3df74506be701baf uid=0 gid=0 mode=555 no_ptrace

jail/usr/bin/php sha1=c444144fef5d65f7bbc376dc3ebb24373f1433a2 uid=0 gid=0 mode=555 indirect no_fips

usr/sbin/chassisd sha1=61b82b36da9c6fb7eeb413d809ae2764a8a3cebc uid=0 gid=0 mode=555 trusted

If a file has been modified and the resulting fingerprint differs from the one in the manifest, you will see a log message, such as the following example:

content_copy zoom_out_map
/kernel:veriexec:fingerprintfordev100728577,file70750 64ea873ed0ca43b113f87fa25fb30f9f60030cec!= 0d9457c041bb3646eb4b9708ba605facb84a2cd0 

The log message is in the following format:

content_copy zoom_out_map
/kernel:veriexec:fingerprintfordev<deviceid>,file<fileid><calculatedfingerprint>!= <fingerprintinthemanifest>

The fingerprint mismatch indicates that the file has been modified. Don’t try to run the file. It could contain corrupted code. Contact JTAC.

Benefits of Veriexec

Find the key benefits of Veriexec below:

Protects System Security: Veriexec safeguards Juniper Networks routers, switches, and firewalls from security breaches.
Prevents Unauthorized Access: It blocks threat actors from gaining persistent, unauthorized access or causing system failure.
Thwarts Malware Execution: By preventing the execution of unsigned binaries, it stops unauthorized modifications and malware.
Supports Authorized Code: Customers can add signed, authorized code to Junos OS with Veriexec enforcement using the JET SDK.
Refer to SDK Guide: For more on the SDK solution, see Develop On-Device JET Applications in the Juniper Extension Toolkit Developer Guide.

How to Verify If Veriexec Is Enforced on a Device Running Junos OS - Option 1

The following subsections give procedures on how to check if veriexec is enforced or not.

Some Junos OS platforms offer an optional version of Junos OS with veriexec enforcement disabled (referred to as Junos Enhanced Automation or Junos Flex). For more information about Junos Enhanced Automation, see Overview of Junos Automation Enhancements on Devices Running Junos OS with Enhanced Automation.

Use the sysctl security.mac.veriexec.state Command for Junos OS Release 15.1 and Later
How to Verify If Veriexec Works - Option 2
Results

Use the sysctl security.mac.veriexec.state Command for Junos OS Release 15.1 and Later

Administrators can check whether veriexec is enforced by running the following commands from the Junos OS CLI shell:

Start the shell.
```
username@hostname> start shell 
%
```
Use the sysctl security.mac.veriexec.state command.
```
% sysctl security.mac.veriexec.state 
security.mac.veriexec.state: loaded active enforce
%
```
If veriexec is enforced, the output is security.mac.veriexec.state: loaded active enforce. If veriexec is not enforced, the output is security.mac.veriexec.state: loaded active.

How to Verify If Veriexec Works - Option 2

You can confirm whether veriexec is working by copying an authorized file (here, /usr/bin/id), to a new location as shown below. Veriexec prevents the operation because, although there is a valid fingerprint for /usr/bin/id, there is no fingerprint for /tmp/id even though the file is identical. What is happening is that veriexec evaluates the underlying Linux properties of the file, which are not identical after being copied, rather than the file itself.

Start the shell.
```
username@hostname> start shell 
#
```
Change directories and then copy the example file, /usr/bin/id to a new location.
```
# /usr/bin/id
uid=928(username) gid=20 groups=20,0(wheel),10(field)
# cp /usr/bin/id /tmp
```

Results

If veriexec is being enforced, an Authentication error appears. If it is not, the file will be run as normal.

Output when veriexec is enforced (the file is blocked):

content_copy zoom_out_map
# /tmp/id
/bin/sh: /tmp/id: Authentication error
#

Output when veriexec is not enforced (the file is copied):

content_copy zoom_out_map
# /tmp/id
#

Veriexec-Capable Loader for SRX Series devices

The veriexec-capable loader installs a Junos OS image using the install command from a TFTP server or a USB storage device.

Install the Junos OS image from a tftp server using the install tftp://[host]/ install command.
```
loader> install tftp://[host]/package
```
Install the Junos OS image from a USB storage device using the install file:/// install command.
```
loader> install file:///package
```

The veriexec-capable loader validates the Junos OS image. The veriexec-capable loader boots up only a new Junos OS image with fingerprints and does not boot up the existing Junos OS image without fingerprints or kernel. You can use the nextboot function to check the current bootup device.

content_copy zoom_out_map
username@hostname# nextboot 
Platform: srx-sword
    eUSB 
usb
current bootdev is: eUSB

Bootupgrade is a tool available in the Junos OS package to support BIOS firmware upgrading. You can use the bootupgrade command to upgrade, check uboot, manually load, and to install the larger size veriexec-capable loader. The bootupgrade -c loader command prints the version string for current loader.

Before you install the veriexec-capable loader to Junos OS image, a Junos OS fingerprints identification is carried out in both dual-root partitions. Only when both dual-root partitions have Junos OS with fingerprints, is the veriexec capable loader installation allowed.

Install the veriexec-capable loader from the Junos OS CLI shell:

Start the shell.
```
username@hostname> start shell 
%
```
Use the bootupgrade -l /boot/veloader command to install the veriexec-capable loader.
```
% bootupgrade -l /boot/veloader
Checking Loader CRC... veloader size 1251641 OK
```

You can see different scenarios here:

Use request system software add /var/tmp/xxx.tgz no-copy no-validate command to install Junos OS with fingerprints normally.

content_copy zoom_out_map
username@hostname> request system software add /var/tmp/junos-srxsme-20.4I-20200810_dev_common.0.0833.tgz no-copy no-validate
Formatting alternate root (/dev/ad0s2a)...
/dev/ad0s2a: 600.0MB (1228732 sectors) block size 16384, fragment size 2048
        using 4 cylinder groups of 150.00MB, 9600 blks, 19200 inodes.
super-block backups (for fsck -b #) at:
32, 307232, 614432, 921632
Installing package '/altroot/cf/packages/install-tmp/junos-20.4I-20200810_dev_common.0.0833' ...
Verified junos-boot-srxsme.tgz signed by PackageDevelopmentECP256_2020 method ECDSA256+SHA256
Verified junos-srxsme-domestic signed by PackageDevelopmentECP256_2020 method ECDSA256+SHA256
Verified manifest signed by PackageDevelopmentECP256_2020 method ECDSA256+SHA256

WARNING:     The software that is being installed has limited support.
WARNING:     Run 'file show /etc/notices/unsupported.txt' for details.

JUNOS 20.4I-20200810_dev_common.0.0833 will become active at next reboot
WARNING: A reboot is required to load this software correctly
WARNING:     Use the 'request system reboot' command
WARNING:         when software installation is complete
Saving state for rollback ...

For older Junos OS Releases, if the veriexec-capable loader is in use and the target Junos OS image for previous releases are not supported by the veriexec-capable loader, then use the request system software add /var/tmp/xxx.tgz no-copy no-validate command to automatically downgrade to the old loader from the veriexec-capable loader.

content_copy zoom_out_map
username@hostname> request system software add /var/tmp/junos-srxsme-19.4R1.3.tgz no-copy no-validate 
WARNING: Package junos-19.4R1.3 version 19.4R1.3 is not compatible with current loader 
WARNING: Automatic recovering loader, please wait ... 
Upgrading Loader... 
##################################### 
Verifying the loader image... OK 
WARNING: The new boot firmware will take effect when the system is rebooted. 
WARNING: Loader recover finish. 
Formatting alternate root (/dev/ad0s1a)... 
/dev/ad0s1a: 598.5MB (1225692 sectors) block size 16384, fragment size 2048 
     using 4 cylinder groups of 149.62MB, 9576 blks, 19200 inodes. 
super-block backups (for fsck -b #) at: 
32, 306464, 612896, 919328 
Installing package '/altroot/cf/packages/install-tmp/junos-19.4R1.3' ... 
Verified junos-boot-srxsme-19.4R1.3.tgz signed by PackageProductionEc_2019 method ECDSA256+SHA256 
Verified junos-srxsme-19.4R1.3-domestic signed by PackageProductionEc_2019 method ECDSA256+SHA256 
Verified junos-boot-srxsme-19.4R1.3.tgz signed by PackageProductionEc_2019 method ECDSA256+SHA256 V
erified junos-srxsme-19.4R1.3-domestic signed by PackageProductionEc_2019 method ECDSA256+SHA256 
JUNOS 19.4R1.3 will become active at next reboot 
WARNING: A reboot is required to load this software correctly 
WARNING: Use the 'request system reboot' command 
WARNING: when software installation is complete Saving state for rollback ...

Use the request system software add /var/tmp/xxx command to check whether the Junos OS package is compatible for the installation.
```
username@hostname> request system software add /var/tmp/junos-srxsme-19.4R2.3.tgz
WARNING: Package junos-19.4R2.3 version 19.4R2.3 is not compatible with this system.
WARNING: Please install a package with veloadr support, 20.3 or higher.
```
The installation is terminated because the veriexec-capable loader is not supported for Junos OS Releases prior to 20.3R1.

arrow_backward PREVIOUS Configuring Root Partitions on SRX Series Devices

NEXT arrow_forward OpenPGP

Junos® OS Software Installation and Upgrade Guide

ON THIS PAGE