cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
8775
Views
5
Helpful
10
Replies

Firmware Upgrade issue on Cisco UCS server with secure boot enabled

scoober322
Level 1
Level 1

Hi, I need some advice on how to successfully apply the latest firmware HUU to a Cisco UCS C220 server with Secure Boot enabled. 

 

I'm trying to upgrade from 2.0.x to 3.0.4d.  When I boot from the physical dvd or mount iso using vKVM, I get an error immediately after selecting the drive, stating "Secure Boot Violation.  Invalid Signature Detected".  I've also tried upgrading through IMC Supervisor but that produces a very generic error that is extremely difficult to troubleshoot.

 

I've seen some information in one of the configuration guides that suggests a signed version of the HUU media is needed, but I cannot find where to download this.  Has anyone else faced this issue?

 

Many thanks for your help.

1 Accepted Solution

Accepted Solutions

You should also be able to disable secure boot through the CIMC, reboot the server (to turn it off), then boot off the media through the CIMC kvm and perform the updates using the .iso.

 

When done you simply re-enable secure boot.

 

I did the above on my standalone C220 M3 1 week ago without issue.

View solution in original post

10 Replies 10

Kirk J
Cisco Employee
Cisco Employee

Greetings.

Can you confirm if this is an appliance based on the C series server (i.e. ISE server, firepower, etc)?

 

Thanks,

Kirk...

Hello Kirk,

 

This is a standalone UCS C-series server running Windows Server OS.  I'd like to take the IMC firmware from v2 to v3 so I can make use of the HTML5 vKVM.  I thought using the HUU might be the easiest way to do this but then I ran into this secure boot violation issue.

 

Many thanks for your help.

What is the hardware type you are working with (ie c220m3) and what is the name of the HUU image you are trying to apply?

 

This alternate community post may prove useful in your case:

 

 https://community.cisco.com/t5/unified-computing-system/ucs-upgrade-fails-invalid-signature-detected/m-p/3367981/highlight/true#M25313

 

 

<snip>

Re: UCS upgrade fails - Invalid signature detected.

You can get around this issue by extracting the CIMC and BIOS firmware files from the HUU ISO, then update the firmware and BIOS using the CIMC interface and upload the files via the browser client.

 

To extract the firmware you use the getfw binary that is stored in the /GETFW directory of the ISO. In that same directory there is a readme that explains the procedure to extract the firmware files.

I have successfully performed these steps using ucs-c220m4-huu-3.0.4a.iso

</snip>

 

HTH!

 

thanks!

 

Jade Lester

What is the hardware type you are working with (ie c220m3) and what is the name of the HUU image you are trying to apply?

 

This alternate community post may prove useful in your case:

 

 https://community.cisco.com/t5/unified-computing-system/ucs-upgrade-fails-invalid-signature-detected/m-p/3367981/highlight/true#M25313

 

 

 

davidjbradley
davidjbradley Beginner
Beginner
‎04-18-2018 03:11 AM
Re: UCS upgrade fails - Invalid signature detected.

You can get around this issue by extracting the CIMC and BIOS firmware files from the HUU ISO, then update the firmware and BIOS using the CIMC interface and upload the files via the browser client.

 

To extract the firmware you use the getfw binary that is stored in the /GETFW directory of the ISO. In that same directory there is a readme that explains the procedure to extract the firmware files.

I have successfully performed these steps using ucs-c220m4-huu-3.0.4a.iso
Everyone's tags (0)
Add tags

 

</snip>

 

HTH!

 

thanks!

 

Jade Lester

You should also be able to disable secure boot through the CIMC, reboot the server (to turn it off), then boot off the media through the CIMC kvm and perform the updates using the .iso.

 

When done you simply re-enable secure boot.

 

I did the above on my standalone C220 M3 1 week ago without issue.

Thanks for this solution.  I initially thought this might damage the data on the disks so i tried it on a test server of the same spec.  It worked well and the configured drives were not affected.

 

Many thanks

It’s worked for me every time I’ve done so on my C220 M3 and M4 servers using the CIMC (ie, not managed by UCS manager)

Hi,

Thanks for your help.  It's a C220 M4 and I'm trying to apply ucs-c220m4-huu-3.0.4d.iso.

 

I've tried extracting the files but after trying a few different options and variations of the commands, it fails with the error "Decryption failed."  I've seen on another post that this may be because the version of OpenSSL is too high, but the workaround needs credentials I don't have.

 

All of these steps appear to be a difficult way to obtain the files.  It brings me back to my first question on whether there is any such thing as a signed image that would be accepted by the secure boot process?  

 

Many thanks for your help.

mr_bayram
Level 1
Level 1

Dear how you solve it 

Can I WhatsApp me 009613011564

Regards

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: