cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1996
Views
5
Helpful
9
Replies

C220M - SNS-3595-K9 invalid signature detected

AminRamadan
Level 1
Level 1

Hi,

Our old ISE C220M - SNS-3595-K9 is migreted to new one and I am trying to use it for labb by installning ESXI on the old ISE. But everytime i am trying to boot by usb, I got a messege "invalid signature detected - check secure policy boot in Setting".  When I go to CIMC/Compute/Bios/Configure boot order, I see the UEFI secure boot is not activated.

My question:

can I install Esxi on ISE C220M - SNS-3595 ? if yes, how can I de-activate the signature detected ?

 

Thank you

 

 

1 Accepted Solution

Accepted Solutions

Kirk J
Cisco Employee
Cisco Employee

That appears to be 'CIMC secure boot' enabled and locked to ISE/SNS appliance images.

If the system easily let you boot to an alternate image, that would present a big security vulnerability.

Repurposing the security appliances is not supported.

Kirk...

View solution in original post

9 Replies 9

Kirk J
Cisco Employee
Cisco Employee

That appears to be 'CIMC secure boot' enabled and locked to ISE/SNS appliance images.

If the system easily let you boot to an alternate image, that would present a big security vulnerability.

Repurposing the security appliances is not supported.

Kirk...

Mike L
Level 1
Level 1

I know this is old thread but if you have access to CCO to can flash the bios with regular ucs-c firmware instead of the ise firmware and then you can use the server as a normal bare metal box or you used to.  we have a couple old ones that we turned into linux jump servers.

How can i get to CCO and flash the bios? There is no way on CIMC to do that.

Sure there is.  So on my 3595 I get the following info logging into the CIMC.

Screenshot 2024-03-25 145436.png

You can see in the bios version that the server type if a C220 M4.  If I go to support.cisco.com and login, in the search box at the top i can type in 220 m4 and the first option that pops up is UCS C220 M4 Rack Server then Click downloads option.  it should take you to downloads page.  If it doesn't take you directly to the 220 page then just put 220 m4 in the search box again and then select UCS C220 M4 Rack Server Software.  When the type page pulls up select Server Firmware.  There is an ISO that you'll download and the release notes on that page will provide the directions to flash the bios/cimc on the host.  This will load the non-ISE appliance firmware for you and that should be all you need to do.  You're not technically flashing it in the CIMC but that's how you're going to load the ISO to do it.  I've done this and done it remotely.  I live 1500 miles from my data centers where my servers are located.

I successfully executed the CIMC and BIOS from the HUU.ISO. Then, I upgraded my SNS-3595 to the latest version, 4.1.x. However, I couldn't boot from any software other than ISE. The server displayed a window that said (the boot is secured). 

AminRamadan
Level 1
Level 1

You mean to download (ucs-c220m4-huu-4.1.2m.iso) and use it ? 

AminRamadan_0-1713437431978.png

 





SaschaS15
Level 1
Level 1

Hi Mike, was the normal iso "ucs-c220m4-huu-4.1.2m.iso" working from the UCS C220 M4 Rack Server on the SNS-3595-K9 without failure?

Looks like at some point cisco modified the UCS firmware to enable secure boot by default and there is no way to remove it. Such a complete waste. My guess is that's why people are literally giving this hardware away now on ebay as it’s basically useless. Glad i had been buying dell gear for my home lab. Guess ill be sticking with that. 

a part of what you saying is true. On the other hand, UCS server is not locked. 

Review Cisco Networking for a $25 gift card