11-26-2024 12:15 PM
Hey all,
I’ve got a bit of a rabbit-hole query that I’m hoping someone here can help me unravel. Here’s the setup:
Background:
Hardware: Cisco UCSX-210C-M7
BIOS Firmware Version: X210M7.4.3.5a.0.0905240935
TPM: Enabled, Version 2.0 (Model: UCSX-TPM-002C)
ESXi Version: VMware ESXi 8.0.3, 24022 / vCenter 8.0.3
In vCenter, we see that the hosts have passed attestation, but the TXT column shows false. My understanding was that enabling TPM should also explicitly enable Intel TXT.
Questions:
BIOS Setting Display
In the BIOS under Processor Configuration, I see:
Enable Intel TXT [Disable]
Does this mean that TXT is currently disabled, and the displayed option is what I can switch it to (i.e., Enable it)? Or does it mean TXT is enabled and I’m looking at the option to disable it?
My colleague thinks this means TXT is disabled, while I read it as being enabled, with the option to toggle it off. Why not just have it show Enabled/Disabled for clarity? (for setting we see [Enabled] [Disabled] [Enable] [Disable] )
Settings Not Changeable
In the BIOS, I can highlight settings like the above and others (e.g., Intel Virtualization Technology), but I can’t change them. Neither the remote interface nor the on-screen keyboard lets me toggle anything. We’ve tried rebooting, resetting the KVM, etc., but no dice. Any idea why these settings seem locked?
Intel Virtualization Technology Setting
Similarly, I see:
Intel Virtualization Technology [Enable]
Does this mean VT is actually enabled? Again, same confusion as the TXT question above. And just like before, this setting can’t be changed. Any ideas why?
Conflicting Documentation
I checked two Cisco docs, and they seem to give conflicting information about platform defaults:
Doc 1: UCS M7 Platforms Overview: States that Intel VT for Directed I/O is Enabled by default.
Doc 2: UCS Intersight BIOS Tokens Guide: Shows Intel(R) VT as Disabled (in bold).
Why the discrepancy between the two documents?
Additional Context:
We’re using a BIOS profile untouched from the platform defaults. My understanding is that a BIOS profile attached to a server profile would override settings on reboot, but since we’re testing this without a BIOS profile, I don’t think that should be affecting what we’re seeing here.
Apologies if this is a jumble of half-baked assumptions—I’m trying to figure this all out under some serious time pressure. Any insights would be greatly appreciated!
Cheers,
Solved! Go to Solution.
11-27-2024 09:41 AM - edited 11-27-2024 09:44 AM
Hey Big Vern,
Lots of questions in this post.
You mention you're under a serious time crunch. I've read your post, but what is the end goal? Is it to enable TXT? I just want to make sure your issue gets resolved and documentation issues can be cleared up after.
I will try to address a few questions here:
"In the BIOS, I can highlight settings like the above and others (e.g., Intel Virtualization Technology), but I can’t change them. Neither the remote interface nor the on-screen keyboard lets me toggle anything. We’ve tried rebooting, resetting the KVM, etc., but no dice. Any idea why these settings seem locked?"
BIOS settings are managed by the BIOS policy, and changing BIOS settings is why we have the BIOS policy. Even if you're able to make changes, further changes down the road could overwrite your one-off BIOS configuration changes. You seem to already know since you acknowledged this detail and the fact that will be overwritten on reboot. Rather than "Why can't we change it manually in the BIOS when I shouldn't really be changing it manually anyways?" the question should be "How can I toggle this setting in the BIOS policy?" as you're not really supposed to making changes manually.
"In vCenter, we see that the hosts have passed attestation, but the TXT column shows false. My understanding was that enabling TPM should also explicitly enable Intel TXT."
TXT depends on TPM, but TPM does not depend on TXT.
I would not assume that enabling the base feature of TPM would also enable TXT. However, if you wanted to use TXT, you'd need to enable TPM. Your output would make sense if TPM is enabled, and TXT is theoretically disabled.
"Enable Intel TXT [Disable] Does this mean that TXT is currently disabled, and the displayed option is what I can switch it to (i.e., Enable it)? Or does it mean TXT is enabled and I’m looking at the option to disable it?"
My understanding is this would mean its disabled.
"Intel Virtualization Technology [Enable] Does this mean VT is actually enabled? Again, same confusion as the TXT question above. And just like before, this setting can’t be changed. Any ideas why?"
My understanding is this would mean its enabled. I definitely wouldn't turn this off if its an ESXi host. Regarding why you can't change it, I defer to my original response of "Make changes in a BIOS policy and not manually in a BIOS".
My question to you is - If your goal is to enable TXT, have you tried creating a test BIOS policy with that BIOS token specifically enabled, and applying it to a test host? I have checked my X210 M7 and its in nearly the exact same boat. I suspect if I made that change I would see txt change to "true".
I would agree that the documentation is a bit unclear if if TXT is enabled by default and I'll take a look and see if this is something I can ask another team to look into.
Disclaimer - as always, test changes on a test box and not prod
11-27-2024 09:41 AM - edited 11-27-2024 09:44 AM
Hey Big Vern,
Lots of questions in this post.
You mention you're under a serious time crunch. I've read your post, but what is the end goal? Is it to enable TXT? I just want to make sure your issue gets resolved and documentation issues can be cleared up after.
I will try to address a few questions here:
"In the BIOS, I can highlight settings like the above and others (e.g., Intel Virtualization Technology), but I can’t change them. Neither the remote interface nor the on-screen keyboard lets me toggle anything. We’ve tried rebooting, resetting the KVM, etc., but no dice. Any idea why these settings seem locked?"
BIOS settings are managed by the BIOS policy, and changing BIOS settings is why we have the BIOS policy. Even if you're able to make changes, further changes down the road could overwrite your one-off BIOS configuration changes. You seem to already know since you acknowledged this detail and the fact that will be overwritten on reboot. Rather than "Why can't we change it manually in the BIOS when I shouldn't really be changing it manually anyways?" the question should be "How can I toggle this setting in the BIOS policy?" as you're not really supposed to making changes manually.
"In vCenter, we see that the hosts have passed attestation, but the TXT column shows false. My understanding was that enabling TPM should also explicitly enable Intel TXT."
TXT depends on TPM, but TPM does not depend on TXT.
I would not assume that enabling the base feature of TPM would also enable TXT. However, if you wanted to use TXT, you'd need to enable TPM. Your output would make sense if TPM is enabled, and TXT is theoretically disabled.
"Enable Intel TXT [Disable] Does this mean that TXT is currently disabled, and the displayed option is what I can switch it to (i.e., Enable it)? Or does it mean TXT is enabled and I’m looking at the option to disable it?"
My understanding is this would mean its disabled.
"Intel Virtualization Technology [Enable] Does this mean VT is actually enabled? Again, same confusion as the TXT question above. And just like before, this setting can’t be changed. Any ideas why?"
My understanding is this would mean its enabled. I definitely wouldn't turn this off if its an ESXi host. Regarding why you can't change it, I defer to my original response of "Make changes in a BIOS policy and not manually in a BIOS".
My question to you is - If your goal is to enable TXT, have you tried creating a test BIOS policy with that BIOS token specifically enabled, and applying it to a test host? I have checked my X210 M7 and its in nearly the exact same boat. I suspect if I made that change I would see txt change to "true".
I would agree that the documentation is a bit unclear if if TXT is enabled by default and I'll take a look and see if this is something I can ask another team to look into.
Disclaimer - as always, test changes on a test box and not prod
11-28-2024 01:31 PM
Please confirm your availability for a quick Webex call for tomorrow i.e., 29th November so that we can check on a few details from the UCS end.
12-02-2024 05:47 AM
[+] As the TPM settings are managed from the BIOS policy in IMM, confirmed we would need to enable TXT over the policy itself
[+] TXT was set to enabled under BIOS policy > TPM > Intel Trusted Execution Technology Support > enabled
[+] Further, rebooted the servers to check on the status over vKVM
[+] Under the processor settings, we now see Intel(R) TXT [enable]
[+] vCenter for these hosts now show TXT to be true as well
[+] Confirmed there is a discrepancy in the IMM BIOS tokens guide which reports TXT to be enabled by default whereas both logs and vKVM report otherwise
[+] An internal enhancement bug to be filed for the same to ensure this is corrected
[+] Customer confirmed closure as issue now stands resolved
thanks for help all.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide