ISE/SNS-3595 EFI Secure Boot errors after booting up

masyamad · ‎10-04-2018

Hi dev team,

I found following critical messages about secure boot in CIMC SEL.

* It occured on brand-new SNS-3595 without any upgrading/downgrading CIMC.

ISE-CIMC /sel # show entries
<...snipped...>

2018-10-05 02:07:54 Critical      "System Software event: Post sensor, EFI Load Image Security Violation [0x5302] was asserted"
2018-10-05 02:07:53 Critical      "System Software event: Post sensor, EFI Load Image Security Violation [0x5302] was asserted"
2018-10-05 02:07:50 Critical      "System Software event: Post sensor, EFI Load Image Security Violation [0x5302] was asserted"
2018-10-05 02:07:47 Critical      "System Software event: Post sensor, EFI Load Image Security Violation [0x5302] was asserted"
2018-10-05 02:07:44 Critical      "System Software event: Post sensor, EFI Load Image Security Violation [0x5302] was asserted"
2018-10-05 02:07:41 Critical      "System Software event: Post sensor, EFI Load Image Security Violation [0x5302] was asserted"
2018-10-05 02:07:38 Critical      "System Software event: Post sensor, EFI Load Image Security Violation [0x5302] was asserted"
2018-10-05 02:07:26 Critical      "System Software event: Post sensor, EFI Secure Boot Key Error [0x5304] was asserted"

Could you tell me the impact of the errors to ISE operation and how to solve it?

The unit is being to be shipped to end user. I'd like to know the impact ASAP.

I also found some errors related to the message. Hope the info will be help.

- obfl.log

> 5:2018 Jul 12 16:37:59 UTC:BMC:BIOSReader:1289: BIOSReader.c:943:File Close : /var/nuova/BIOS/PK
> 5:2018 Jul 12 16:37:59 UTC:BMC:selparser:1573: selparser.c:774: # A8 00 00 00 01 02 00 00 E7 83 47 5B 01 00 04 0F 00 00 00 00 6F A0 04 53 # a8 | 07/12/2018 16:37:59 | BIOS | System Firmware Progress #0x00 | System Firmware error | EFI Secure Boot Key Error. | Asserted
> 5:2018 Jul 12 16:38:00 UTC:BMC:BIOSReader:1289: BIOSReader.c:247:File Open : ConfigPolicy.xml

- BiosTech log

> [07:09] (PeiDispatcher)Calling the entry point of PEIM to start its execution
> [07:09]Failed to open CiscoVicConfig file Status=EFI_NO_RESPONSE

Nidhi · ‎10-04-2018

Google pointed me to this document - https://www.cisco.com/c/en/us/td/docs/unified_computing/ucs/c/sw/cli/config/guide/2-0/b_Cisco_UCS_C-Series_CLI_Configuration_Guide_for_C3x60_Servers/b_Cisco_UCS_C-Series_CLI_Configuration_Guide_207_chapter_0100.html

Also , a note there - If you enable UEFI secure boot on a nonsupported OS, on the next reboot, you cannot boot from that particular OS. If you try to boot from the previous OS, an error is reported and recorded the under system software event in the web UI. You must disable the UEFI secure boot option using Cisco IMC to boot from your previous OS.

If the options suggested in the document does not help, I suggest you raise a TAC case to troubleshoot this.

Thanks,

Nidhi

masyamad · ‎10-04-2018

Hi Nidhi,

Thanks for your comment.

But the error occurs on a brand-new ISE. It doesn't have any previous OS or others.

ISE application booted up correctly (at least from my point of view)
but caused the error on each booting up.

I only would like to know if the unit is normal or need RMA.

Can you comment on this point?

Nidhi · ‎10-04-2018

Hi,

I checked with engineering on this, these looks like defects. Hence, request you to work with TAC on this.

Thanks,

Nidhi

masyamad · ‎10-04-2018

OK. I'll contact TAC, but do you mean it's a software defect?

The unit will be shipped to enduser tomorrow. Really need to know if it's a sign of a hardware failure or not.

avysotskiy1 · ‎02-19-2021

it is expected behavior as Secure boot is enabled . reference: https://bst.cloudapps.cisco.com/bugsearch/bug/CSCvn47021

Please choose answer correct)