NUC8i7HNK can't load BIOS after Secure Boot enable

MSerg · ‎09-16-2018

Hello everyone.

TL;DR: I've enabled secure boot with custom keys and now can't enter visual BIOS.

So the full description of actions:

I've generated DB keys for Linux EFISTUB kernel. Also I have an KEK key and my own Platform key. And also generated key to clear PK.
After that I cleared default keys using Visual BIOS.
As for next step I put all of my keys including additional key for booting windows ("MicWinProPCA2011_2011-10-19").
After that using KeyTool.efi signed by my DB key I've added my db key an microsoft one.
Then KEK signature and after that platform key that generated by me.

And after reboot I can't go into visual bios. Also I can't boot any of my USB devices (even that one where I put signed keytool.efi in place of "EFI\BOOT\BOOTX64.EFI").

Only thing that works is windows EFI bootloader. I can succesfully boot into windows but I can't to boot anything else.

Also I've tried to clear CMOS using bios recovery with removing jumper:

Placed firmware onto USB flash drive.
Turned off nuc and plugged off.
Removed battery connector.
Waited for an 15 minutes or so.
Plugged in USB stick and power cord.
Pressed a button and nothing happened for an 30 minutes.

And important note is that I have no visual feedback at all with monitor connected to HDMI until windows bootloader starts.

I tried to clear CMOS with no M.2 drives and with single RAM stick. No success.

I found /thread/45668 similar issue but I can't rollback since I can't go into BIOS.

My assumption is that intel visual BIOS requires some hardware driver ROMs which should be signed by some key that I don't have.

And thus neither recovery and Visual BIOS can't run some USB/VGA drivers and load them since can't verify signature.

So how do I get into visual bios or at least how do I clear platform key if I can't even boot keytool? Can I do that using Windows?

LeonWaksman · ‎09-16-2018

Hello me_ses

1. Try boot into UEFI bios from Windows: https://www.tenforums.com/tutorials/5831-boot-uefi-firmware-settings-inside-windows-10-a.html Windows 10 Help Forums

or

2. Try clean the the password and TPM from Configuration Menu . From this menu you can enter bios also after pressing on F2.

Disconnect the power adapter and remove the upper cover from your NUC.
Remove the yellow security jumper and close the cover.
Do not insert any USB stick into USB socket.
Reconnect the power adapter and power ON the NUC. Wait 30 sec - 2min. You will see the Configuration Menu - similar to the attached image.

or

3. You may try to enter Bios from Power Button Menu. Press Power Button for about 3 seconds. You should release the Power Button soon as the power led changes color from blue to amber. Alternately, the system will emit three short beeps from the PC speaker or headphones, if connected, then stop. If you see the LED color change or you hear the beeps, release the Power Button - NUC shall reboot into Power Button Menu.

Hope this will help

Leon

MSerg · ‎09-17-2018

As you may noticed I said that I have no visual feedback at all.

Tried. Didn't work.
Tried as you suggested and blindly pressed button 3 on the keyboard. Had no feedback. Tried to restart after that - no success.
Also didn't work.

LeonWaksman · ‎09-17-2018

1. I've noticed that you have no visual feedback at all. However I understood that you can boot into Windows and that there you have video. So, what happened - your computer refuses to boot into Advanced Menu or, in Advanced Menu you don't see the option to boot into bios?

2. I have one more idea for you to try:

2.1 Booting with minimum hardware configuration into Configuration Menu

Remove SSDs and one of the SODIMMs (if you have 2 memory modules installed). Leave only one SODIMM in the bottom slot only.
Remove the Security Jumper
Power ON the NUC and see if it's booting into Configuration Menu.

Leon

MSerg · ‎09-18-2018

I can't really say if it refuses to boot or it successfully loads menu but doesn't show anything. But yes. It doesn't show none of

- Visual BIOS using F2 with normal boot or from Windows boot manager

- Power button menu via 3 second delay

- Configuration menu with or without USB inserted and with or without SSD.

By "doesn't show" I mean black screen and turned off activity LED on my monitor. So it probably doesn't even send signals over HDMI in that case.

Also I can't say if something happens if I try to press some buttons because when I tried to clear TPM nothing happened from my perspective.

When I run NUC without jumper or when I try to call Power Button menu it turns on skull LED and custom user LED.
Just tried one more time. Even if it gets to Configuration menu I can't say if it's there. It's just doesn't show anything on the screen.

But if I press [F4] it shuts down and then boots up again. So probably keyboard is working and I opened BIOS recovery as I can see from your picture.

LeonWaksman · ‎09-19-2018

1. Still I did not understand you. You can boot into Windows and you see video output in Windows? Or, you can't boot into Windows neither and you see always black screen?

2. If you in all cases don't see video try the following:

2.1 Replace the HDMI cable. If you don't have a spare one, take one from your TV set.

2.2 If your NUC is connected to TV set, connect it to computer monitor instead. If you don't have monitor, connect your NUC to other TV.

Leon

MSerg · ‎09-19-2018

Sorry for misunderstanding.

Yes. You understood correctly. I can boot into Windows and both HDMI output and monitor are working.

I have no output when I try to use any known service menu or if I try to boot another operating system installed on same SSD.

My NUC is connected to monitor and it worked fine before with the same monitor and the same HDMI cable. But in PM someone suggested to try miniDP port so probably I'll try to find miniDP-HDMI converter. But highly doubt if it'll change anything since all of the outputs wired to Vega M anyway.

LeonWaksman · ‎09-19-2018

OK. Have no more ideas.

Leon

MSerg · ‎09-19-2018

Well, thanks for your help anyway. You are the only one who tried at least.

I'm trying to reach Intel support but they didn't answer for a couple of days already. Which is quite sad because this is kind of emergency for me.

idata · ‎09-19-2018

Hello me_ses,

Thank you for posting your inquiry.

Just to be in the same page:

You cannot enter the BIOS with all storage devices removed (SSD, M.2s, USB flash drives, - ALL) except for one memory stick, USB keyboard and Monitor only and you have already clear the CMOS via the jumper method per lw1948 above (9/17/2018), it appears to be an issue with the unit.

If the above is true and you agree, we can advise the contact center for your geographical location that we recommend a warranty replacement if under warranty.

The other support ticket that is currently opened with you local support team is currently escalated.

We have sent you a private message requesting some personal information and https://www.intel.com/content/www/us/en/support/articles/000005804/mini-pcs.html system markings

I hope to hear from you soon.

Regards,

Diego S.

Ronny_G_Intel · ‎09-27-2018

BIOS ver 69 is out there, have you had a chance to test it?

https://downloadcenter.intel.com/download/28178/BIOS-Update-BNKBL357-86A-?product=95067 Download BIOS Update [BNKBL357.86A]

Regards,

Ronny G

Mitchell_R_Intel · ‎09-27-2018

Wrong BIOS. He is using a NUC8i7HVK NUC with Kaby Lake-G.

Did you enable Fast Boot in the BIOS before you injected the new Secure Boot key? This will prevent any USB support and you will get no video until you boot into Windows. This is to allow booting to be as fast as possible by not enabling any of these devices during POST.

The other thing is since the GPU in Kaby Lake-G is based on AMD Vega and not Intel Gfx, that may be why you do not see any video in POST.

Mitchell_R_Intel · ‎09-27-2018

Another question. When you added the NEW Secure Boot key, did you append it to the existing Intel key or replace the Intel key?

MSerg · ‎09-30-2018

No. I disabled Fast Boot implicitly to boot Linux normally. And I had bios loading before enrolling keys.

Also I've mentioned that I have no visual even in configuration mode with removed jumper where Fast Boot just doesn't have an effect.

MSerg · ‎09-30-2018

How did I supposed to append my keys to Intel ones after clearing default ones?

Even without clearing I need to have a private keys of enrolled KEK or PK to sign my own keys to add them without purging database.

And apparently I don't have those.

Also there's no single line on Intel website where you can find unsigned ESL needed to be added to KEK and/or DB entries while you enrolling your own keys.

And there's no single warning that by some reason you need to have some additional entries for the hardware that soldered directly to the board and cannot be removed.

idata · ‎10-08-2018

me_ses: There is a new BIOS available in our web site, it is version 0050, if the problem persists we can try to install that version:

https://downloadcenter.intel.com/download/28185/BIOS-Update-HNKBLi70-86A-?product=126143

As far as Linux support, Intel does not support Linux on this system and we have not received confirmation from a customer/company yet stating they have validated Linux on this system yet:

https://www.intel.com/content/www/us/en/support/articles/000005628/mini-pcs.html

So if you need assistance the best thing do will visit Linux's forums:

http://www.linuxforums.org/forum/

Regards,

Alberto R.

Intel Customer Support Technician

Under Contract to Intel Corporation

idata · ‎10-15-2018

me_ses: I just wanted to check if the information posted previously was useful for you and if you need further assistance on this matter?

Regards,

Alberto R.

Intel Customer Support Technician

Under Contract to Intel Corporation

MSerg · ‎10-30-2018

It wasn't useful and I didn't come to the solution of this particular issue.

After over a month of talking with support team they decided to replace my unit so now I'm waiting for the new one.

idata · ‎10-30-2018

me_ses: We are sorry to hear the issue was not fixed, it could be a hardware problem, so we are glad to know they will be able to replace the unit for you.

Regards,

Alberto R.

Intel Customer Support Technician

Under Contract to Intel Corporation

Erik-RAMLAB · ‎02-21-2021

We experienced the same issue.
It is caused by removing the DB key named "Microsoft Corporation UEFI CA 2011". I assume it is used by an EFI graphics driver, preventing graphical output during early boot. As far as we know, the Visual BIOS is not able to run at all, making it impossible to restore the default secure boot settings, not even by blindly entering the correct keystrokes. Jumpers also had no effect.

If you installed your own KEK, it is possible to fix the issue by restoring the MS Corp UEFI CA 2011 key, although it is not easy.
You'd have to download that DB key (Microsoft has online documentation about it, with a direct download link), sign it with your KEK, and install it without any visual feedback; that last part being tricky. One way would be to install it on another PC and record all the necessary keystrokes by hand, or perform it simultaneously on both machines by mimicking all keystrokes. KeyTool will boot and function, but without visuals.

The BIOS has an option called 'Allow UEFI Third Party Driver loaded', but I have not tested whether this allows the EFI graphics driver to load without having the MS Corp UEFI CA 2011 key installed. I'm not sure either whether this poses a threat from malicious devices.
Perhaps Intel can comment on this BIOS option?

To enroll custom keys with KeyTool on a new/normal machine while also keeping the above DB key:

Install the Secure Boot Defaults in the BIOS
Disable secure boot, since your KeyTool efi file is probably not signed with a default key
Boot KeyTool
Make a backup of all default keys using 'Save Keys'
Boot into the BIOS, clear the default keys and enter custom mode by selecting 'Clear Secure Boot Data' in the BIOS (enable 'Secure Boot' first)
Boot KeyTool again
Add 'db.esl' from the backed up defaults (and dbx.esl if you want)
Remove what you don't need, but be sure to keep "Microsoft Corporation UEFI CA 2011" (all other DB keys could be safely removed in our case)
Add your own keys
Finalize by installing your own Platform Key (or, alternatively, reboot, enter the BIOS and select 'Install Intel Platform Key')