Intel® NUCs
Support for Intel® NUC products
11785 Discussions

NUC8i7HVK: replaced secure boot keys (PK, KEK, db), now fails to boot

Hans_Bausewein
New Contributor I
937 Views

History

Last Thursday I had replaced the secure boot keys (PK, KEK, db) using Linux efitools, signed my boot efi's and enabled SecureBoot.

Now I cannot even get into the BIOS. It seems it tries to do something with the display, but nothing is visible.

This "Hades Canyon completely bricked after enabling Secure Boot"  does not look very promising.

The monitor is connected by a HDMI cable and it had worked fine before like that. (both front and back HDMI ports).

Q1: Any ideas how to fix it?

I had saved the original keys, I think. But since I cannot get a Visual BIOS I cannot do anything.

I even do not know, what's the current state.

Q2: Should I (temporarily) remove the BIOS Security Jumper ?

but . . .

CAUTION
BIOS recovery using the BIOS security jumper clears Intel® Platform Trust Technology (Intel® PTT) keys. These keys will not be restored after the BIOS recovery.

Q3: Do I lose anything if I remove the BIOS Security Jumper ?

Found how to "own the TPM", so maybe I should manage it myself using Linux TPM tools?

Q4: See the firmware boot process?

Is there a way to see, what happens if the graphical video output is not available at boot time?

Maybe USB, RS232, on-board UART or so?

References

I've checked these:

0 Kudos
15 Replies
David_G_Intel
Moderator
882 Views

Hello Hans_Bausewein


Thank you for posting on the Intel️® communities. 

 

Before answering any questions, please share with us the following information:

  • Do you remember the last BIOS version installed on the NUC?
  • Which troubleshooting steps did you already test to resolve this problem?
  • Is this just a no video issue? Do you hear the fan running?
  • Do you get a specific color or blink code on the power button?
  • When did you buy this NUC?

 

Regards, 

David G 

Intel Customer Support Technician 


Hans_Bausewein
New Contributor I
875 Views

Hello David,

Few answers first:

Tried the "3.7.4 Power Button Menu" from the manual:  after 3 seconds the color changes from blue to amber, but it does not show anything on screen and it does not respond to key strokes, it seems.

I had it running in Setup Mode for some days and I could not access the BIOS anymore immediately after I turned on Secure Boot in the BIOS and restarted.

I have moved the memory and one SSD to a new NUC10i3FNK I bought last Friday, so I cannot test anything at the moment as I need it for work. Maybe in the weekend, but I'd like to have an idea how to fix it first.

How about removing the BIOS Security Jumper?
I think I do not have much to lose if I had already removed the keys.

It's just that I'm not sure and I do not want to make it worse.

regards,

Hans

Hans_Bausewein
New Contributor I
849 Views

Intel is busy I guess.

Today I have moved one 16GB memory module from my new NUC10i3FNK to the NUC8i7HVK, so I can test again. Removed the SSD, because it is half of a RAID1 and the other half is in the new NUC.

Tried the BIOS Recovery using the Power Button Menu from the BIOS Update Instructions for Intel® NUC, i.e. not removing the Security Jumper, yet.

It responds by turning off and on the lights, including the power button. Not sure whether it is actually doing a BIOS replacement, so I didn't touch it for at least 5 minutes.

If I do not press F4 while in the Power Button Menu, the lights do not change: Skull, power button and green LED stay on. Then it also responds to Ctrl-Alt-Del: seems to reboot, after lights off/on the skull does not go back on, like in my BIOS settings.

Issue remains, nothing visible on the display.

Hans

 

 

LeonWaksman
Super User
843 Views

Hi Hans,

I don't know which instruction you have used to perform BIOS Recovery from the Power Button Menu, however try mine (BTW, yesterday I've updated BIOS to version 0066, using this method). However, you need to have RAM installed. Before starting this procedure, verify that the Yellow BIOS Security Jumper is installed in NORMAL position (i.e. between pins 1-2, refer to page 46 in the Technical Product Specification) Follow those steps:

1. Prepare USB stick fully formatted to FAT32 (disable quick format option during format). Format your USB on Windows machine (rather than Linux or MAC). Save the Bios file HN0066.bio on this stick and insert it into front USB slot with amber color (NUC shall be OFF). You may use also one of the rear USB ports (do not use front blue USB port, since sometime the USB stick is not recognized during boot process).
2. Press and hold Power Button for about 3 seconds. Count 1001, 1002, 1003,1004. Release the Power Button. NUC should reboot into Power Button Menu. You should release the Power Button before 4-sec shut down override or when the Power Button LED changes color from blue to amber.
3. Press F4 and the recovery shall start (it can take up to 30 seconds for messages to appear on the screen).
4. When the recovery finishes, press on Power Button and hold it, until NUC switches OFF. Pull out the power cord. Remove the USB stick.
5. Replace the power cord and press Power Button to switch the computer to ON.
6. While you see the Intel NUC logo, enter Bios setting by pressing F2 during boot process.
Press F9(followed by "Y"), to set Bios to default settings. Press F10 (followed by "Y"), to save the settings and exit to O.S. Let the NUC fully reboot.
7. If before update, you have customized bios settings, you can enter again to Bios setting to change the necessary settings. 


Leon

Hans_Bausewein
New Contributor I
806 Views

Leon,

Thanks for replying . .  . but . . .

 

I have a few issues:

  1. I do not have Windows (last version was NT 4.0, last millennium or so)
  2. I'm a bit scared of trying a new BIOS because of many Linux users reporting it only boots Windows
  3. Will this procedure restore the Intel Platform Key (and the others?)

On the first: I used an MBR partition table with a single FAT32-formatted partition. That's how I usually buy them, but I had all four already overwritten with Linux boot software.

Have you read my first post?
More specifically: Q2: Should I (temporarily) remove the BIOS Security Jumper ?

I was a bit worried because of the CAUTION in the manual, but it seems the way forward as I probably have removed the keys anyway.

From this detailed description of the Intel boot proces :

"In Hades Canyon NUC, there are two ways to change the PK: you can reset the PK with the BIOS security jumper inside the case and you can set the PK inside the Visual BIOS program by pressing F2 during boot."

I think I used (or tried to use) a third way using Debian efitools .

Not sure about the current state of the firmware, though.

Regards,

Hans

LeonWaksman
Super User
794 Views

Hi Hans,

You asked how to perform BIOS Recovery from the Power Button Menu, so, I described this procedure in my post above. Since during this procedure the Security Jumper is installed, the PK are not affected. I've only asked you to verify that this jumper is installed in NORMAL position between pins 1-2. You may verify this without opening the NUC. Just click on F2 while you see the Intel NUC logo. If you enter BIOS, means that the jumper is in NORMAL position (rather than LOCKED).

If you will use USB stick formatted in Linux, probably the procedure will not work. 

"I'm a bit scared of trying a new BIOS because of many Linux users reporting it only boots Windows" I didn't hear about this problem in Hades Canyon. It was reported for NUC7PJYH, however it suppose to be fixed in the new release BIOS for this NUC, version 0060 .I don't have NUC7PJYH to test this, but it will be reported in the forum.

Leon

 

 

Hans_Bausewein
New Contributor I
790 Views

Hi Leon,

The Security Jumper is in the NORMAL position between pins 1-2.

I have not changed it and I could make changes in the BIOS (using F2) before I broke it.

My last change was, actually, (after replacing the keys with efitools) turning Secure Boot back on. Since then I do not see anything on the screen, anymore. No boot menu, no Power Button Menu, nothing.

Because I do not see anything on screen, I obviously cannot use that method to check the Security Jumper configuration.

Maye I'll buy another factory-formatted USB stick soon.

Or I can verify the USB stick on my new NUC10i3FNK. (when it gets an update)

Leon> Since during this procedure the Security Jumper is installed, the PK are not affected.

So I have to remove the Security Jumper.

If the missing Intel PK is the problem: Most likely, because that's the only relevant change before it broke.

thanks for helping thinking,

Hans

DeividA_Intel
Moderator
764 Views

Hello Hans_Bausewein, 


  


Thank you for the information provided 


  


I will proceed to check the issue internally and post back soon with more details. 


  


  

Best regards, 


Deivid A.  

Intel Customer Support Technician 


Hans_Bausewein
New Contributor I
745 Views

@DeividA_Intel 

Thanks for checking.

I've found a bit more detailed note in the BIOS Update Instructions for Intel® NUC with Intel® Visual BIOS pdf :

Note: BIOS recovery using the BIOS security jumper will clear Trusted Platform Module (TPM) keys,
Intel® Platform Trust Technology (Intel® PTT) keys, and High-bandwidth Digital Content Protection
(HDCP) keys. These keys will not be restored after the BIOS recovery.

The HDCP keys removal is new to me:  these were not mentioned in the Intel® NUC Kit NUC8i7HV
Technical Product Specification.

What do I lose here?

The NUC8i7HVK_TechProdSpec.pdf says:

1.6.2.6   High-bandwidth Digital Content Protection (HDCP)

HDCP is the technology for protecting high definition content against unauthorized copy or
interception between a source (computer, digital set top boxes, etc.) and the sink (panels,
monitor, and TVs). The PCH supports HDCP 1.4 and HDCP 2.2 for content protection over wired
displays using the Mini DisplayPort and HDMI 2.0. The Thunderbolt Type C based DisplayPort
configuration will support up to HDCP1.4.

 

Regards,

Hans

 

DeividA_Intel
Moderator
715 Views

Hello Hans_Bausewein, 



Based on the internal research, what I recommend you to try would be a BIOS recovery with the F7 method.


File (HN0066.bio): https://downloadcenter.intel.com/download/30320/BIOS-Update-HNKBLi70-?v=t

Steps: https://downloadmirror.intel.com/30320/eng/NUC-BIOS-Update-Readme.pdf


If the BIOS recovery does not work, get in contact with us directly to review the warranty option. You can use the link that works better for you:



1. US Canada: https://www.intel.com/content/www/us/en/support/contact-support.html#@11 

2. Europe, Middle East, and Africa: https://www.intel.com/content/www/us/en/support/contact-support/emea-contact.html 

3. Asia-Pacific: https://www.intel.com/content/www/us/en/support/contact-support/apac-contact.html 

4. Latin America: https://www.intel.la/content/www/xl/es/support/contact-support/lar-contact.html 





Regards,    


Deivid A. 

Intel Customer Support Technician 


Hans_Bausewein
New Contributor I
700 Views

F7 method ?

@DeividA_Intel 

From the BIOS Update Readme:

4. During boot, when the F7 prompt is displayed, press F7 to enter the BIOS Flash Update screen.

But I do not see anything on screen, so I do not see how this can be done.

"BIOS Recovery using the Security Jumper" may work: i.e. F4 method using the Power Button Menu with the Security Jumper removed (i.e. in Configuration Mode).

Q: So I have to repeat my question once more: what do I lose here?

"High-bandwidth Digital Content Protection (HDCP) keys will not be restored", but what does it mean?
No Netflix or some other paid services ?

Hans

 

 

 

 

 

DeividA_Intel
Moderator
683 Views

Hello Hans_Bausewein, 



I understand your concern, however, the last options to bring back the Nuc would be through the BIOS recovery (With the F4), if you are not able to access the BIOS because there is no display at all, remember that you can get in contact with us to check the warranty options that we have for you.


You won't lose any kind of information and/or features (HDCP), but any customization may be lost and you will need to adjust it.



remember that you can use the link that works better for you:


1. US Canada: https://www.intel.com/content/www/us/en/support/contact-support.html#@11 

2. Europe, Middle East, and Africa: https://www.intel.com/content/www/us/en/support/contact-support/emea-contact.html 

3. Asia-Pacific: https://www.intel.com/content/www/us/en/support/contact-support/apac-contact.html 

4. Latin America: https://www.intel.la/content/www/xl/es/support/contact-support/lar-contact.html 




Regards,   



Deivid A. 

Intel Customer Support Technician 


Hans_Bausewein
New Contributor I
672 Views

@DeividA_Intel 

Hello Deivid,

Thanks for replying.

From Deivid:

You won't lose any kind of information and/or features (HDCP), but any customization may be lost and you will need to adjust it.

If this is true, then Intel has to rewrite the BIOS Update Instructions for Intel® NUC with Intel® Visual BIOS pdf :

Note: BIOS recovery using the BIOS security jumper will clear Trusted Platform Module (TPM) keys,
Intel® Platform Trust Technology (Intel® PTT) keys, and High-bandwidth Digital Content Protection
(HDCP) keys. These keys will not be restored after the BIOS recovery.

( under BIOS Recovery by Security Jumper )

Not sure whether I need the HDCP keys and it's good to know I can use the RMA procedure if I need it.

I guess only Intel can restore them, if at all.

Regards,

Hans

 

DeividA_Intel
Moderator
647 Views

Hello Hans_Bausewein, 



I do appreciate the feedback, we will take it under consideration. In this case, feel free to perform the BIOS recovery (this is not going to damage the unit if you do it right) and if it does not work you can get in contact with us to check the warranty options. 



1. US Canada: https://www.intel.com/content/www/us/en/support/contact-support.html#@11 

2. Europe, Middle East, and Africa: https://www.intel.com/content/www/us/en/support/contact-support/emea-contact.html 

3. Asia-Pacific: https://www.intel.com/content/www/us/en/support/contact-support/apac-contact.html 

4. Latin America: https://www.intel.la/content/www/xl/es/support/contact-support/lar-contact.html 



Please keep in mind that this thread will no longer be monitored by Intel. 



Regards,  


Deivid A.  

Intel Customer Support Technician  


Hans_Bausewein
New Contributor I
627 Views

In Configuration Mode, with the Security Jumper removed, the NUC8i7HVK goes into a 73 second cycle:

0:00 Power Off

0:04 Power On + Off

0:09 Power On

0:11 Display backlight on (Maybe this is the "Detected BIOS Security Jumper Removed" page?)

0:22 Display backlight off

1:13 Power Off -> next cycle

Nothing visible on the display other than the back light turning on and off.

I do not notice a difference between the USB stick inserted (on the yellow front port or one of the back ports) vs. no USB stick inserted, so I'll retry with a Windows-formatted USB stick as @LeonWaksman  suggested.

Hans

 

 

Reply