Solved: Re: Firmware Upgrade issue on Cisco UCS server with secure boot enabled

scoober322 · ‎07-26-2018

Hi, I need some advice on how to successfully apply the latest firmware HUU to a Cisco UCS C220 server with Secure Boot enabled.

I'm trying to upgrade from 2.0.x to 3.0.4d. When I boot from the physical dvd or mount iso using vKVM, I get an error immediately after selecting the drive, stating "Secure Boot Violation. Invalid Signature Detected". I've also tried upgrading through IMC Supervisor but that produces a very generic error that is extremely difficult to troubleshoot.

I've seen some information in one of the configuration guides that suggests a signed version of the HUU media is needed, but I cannot find where to download this. Has anyone else faced this issue?

Many thanks for your help.

DRAGONKZ · ‎07-29-2018

You should also be able to disable secure boot through the CIMC, reboot the server (to turn it off), then boot off the media through the CIMC kvm and perform the updates using the .iso.

When done you simply re-enable secure boot.

I did the above on my standalone C220 M3 1 week ago without issue.

View solution in original post

Kirk J · ‎07-26-2018

Greetings.

Can you confirm if this is an appliance based on the C series server (i.e. ISE server, firepower, etc)?

Thanks,

Kirk...

scoober322 · ‎07-27-2018

Hello Kirk,

This is a standalone UCS C-series server running Windows Server OS. I'd like to take the IMC firmware from v2 to v3 so I can make use of the HTML5 vKVM. I thought using the HUU might be the easiest way to do this but then I ran into this secure boot violation issue.

Many thanks for your help.

Ashley Lester · ‎07-27-2018

What is the hardware type you are working with (ie c220m3) and what is the name of the HUU image you are trying to apply?

This alternate community post may prove useful in your case:

https://community.cisco.com/t5/unified-computing-system/ucs-upgrade-fails-invalid-signature-detected/m-p/3367981/highlight/true#M25313

<snip>

You can get around this issue by extracting the CIMC and BIOS firmware files from the HUU ISO, then update the firmware and BIOS using the CIMC interface and upload the files via the browser client.

To extract the firmware you use the getfw binary that is stored in the /GETFW directory of the ISO. In that same directory there is a readme that explains the procedure to extract the firmware files.

I have successfully performed these steps using ucs-c220m4-huu-3.0.4a.iso

</snip>

HTH!

thanks!

Jade Lester

Ashley Lester · ‎07-27-2018

What is the hardware type you are working with (ie c220m3) and what is the name of the HUU image you are trying to apply?

This alternate community post may prove useful in your case:

https://community.cisco.com/t5/unified-computing-system/ucs-upgrade-fails-invalid-signature-detected/m-p/3367981/highlight/true#M25313

davidjbradley
davidjbradley Beginner
Beginner
‎04-18-2018 03:11 AM
Re: UCS upgrade fails - Invalid signature detected.

You can get around this issue by extracting the CIMC and BIOS firmware files from the HUU ISO, then update the firmware and BIOS using the CIMC interface and upload the files via the browser client.

 

To extract the firmware you use the getfw binary that is stored in the /GETFW directory of the ISO. In that same directory there is a readme that explains the procedure to extract the firmware files.

I have successfully performed these steps using ucs-c220m4-huu-3.0.4a.iso
Everyone's tags (0)
Add tags

</snip>

HTH!

thanks!

Jade Lester

DRAGONKZ · ‎07-29-2018

You should also be able to disable secure boot through the CIMC, reboot the server (to turn it off), then boot off the media through the CIMC kvm and perform the updates using the .iso.

When done you simply re-enable secure boot.

I did the above on my standalone C220 M3 1 week ago without issue.

scoober322 · ‎08-02-2018

Thanks for this solution. I initially thought this might damage the data on the disks so i tried it on a test server of the same spec. It worked well and the configured drives were not affected.

Many thanks

nilssondk · ‎11-05-2019

As i read it you cannot disable secure boot?

https://www.cisco.com/c/en/us/td/docs/unified_computing/ucs/sw/gui/config/guide/2-2/b_UCSM_GUI_Configuration_Guide_2_2/b_UCSM_GUI_Configuration_Guide_2_2_chapter_011111.html#concept_C3FF828A05BE478B88052EE502B379C5

DRAGONKZ · ‎11-05-2019

It’s worked for me every time I’ve done so on my C220 M3 and M4 servers using the CIMC (ie, not managed by UCS manager)

scoober322 · ‎07-30-2018

Hi,

Thanks for your help. It's a C220 M4 and I'm trying to apply ucs-c220m4-huu-3.0.4d.iso.

I've tried extracting the files but after trying a few different options and variations of the commands, it fails with the error "Decryption failed." I've seen on another post that this may be because the version of OpenSSL is too high, but the workaround needs credentials I don't have.

All of these steps appear to be a difficult way to obtain the files. It brings me back to my first question on whether there is any such thing as a signed image that would be accepted by the secure boot process?

Many thanks for your help.

mr_bayram · ‎01-17-2021

Dear how you solve it

Can I WhatsApp me 009613011564

Regards