Server Products
Data Center Products including boards, integrated systems, Intel® Xeon® Processors, RAID Storage, and Intel® Xeon® Processors
4826 Discussions

Pre-boot DMA Protection problem on M50CYP

alpha_
Novice
2,821 Views

Hi,

I installed Windows Server 2022 on M50CYP. Everything works fine and Secure Boot is enabled.

Now, if I enable "Pre-boot DMA Protection" in BIOS (v01.01.0007) the OS cannot boot anymore. It goes directly to the network boot options.

Is this a known issue and is there any solution?

Thanks,

Anguel

0 Kudos
8 Replies
Allan_A_Intel
Moderator
2,771 Views

Hello, alpha_,


Thank you for reaching Intel Communities. I will gladly help you.


I couldn't confirm right away any issue related to DMA and the Intel® Server Board M50CYP with the latest BIOS, and I see that Windows* Server 2022 should support it as well.


Please allow me some time to research and try to find out the cause of the issue.


Best regards,

Allan


0 Kudos
alpha_
Novice
2,739 Views

Hi Allan,

in ReleaseNotes_BIOS_R01.01.0007.txt there is some DMA issue listed, however I do not understand if it may apply to my problem:

13.[Hsd-ES]:[2103654290] Error is prompted when create RAID volume if enable pre-boot DMA protection option

Indeed I am using a RAID1 VROC with two internal M.2 NVMEs for the Win Server 2022 OS (boot) volume. I created the volume without having pre-boot DMA protection enabled.

Also, although the M50CYP is certified for Server 2022 Secured Core and this was one of the main reasons we decided to buy this server, I did not find any official Intel document stating the BIOS settings required to enable all Secured Core features, and they are everything but trivial. Fortunately, with a lot of searching I could find some information from Lenovo that allowed me to enable secured core on the M50CYP:

Make sure the following UEFI settings are enabled in order to enable secured-core features:

System Settings -> Security -> Secure Boot Configurations -> Secure Boot Settings
System Settings -> Security -> Secure Boot Configurations -> Trusted Platform Module -> TPM 2.0
System Information -> Socket Configuration -> Processor Configuration -> Enable Intel TXT
System Setting -> Devices and I/O Ports -> Intel VT for Directed I/O (VT-d)
System Setting -> Devices and I/O Ports -> DMA Control Opt-In Flag

Can Intel please confirm that this also applies to M50CYP?

But again, as soon as I turn on "Pre-boot DMA protection" in BIOS, the server does not boot to Windows anymore.

Any help is welcome.

 

Best regards,

Anguel

0 Kudos
Allan_A_Intel
Moderator
2,672 Views

Hello, alpha_,


Thank you for your patience. I tried this scenario in a lab with the same board and operating system, and I wasn't able to replicate the issue. The operating system booted even after enabling the pre-boot DMA protection.


Just to be sure, please verify the boot order, and test the system by disabling the pre-boot DMA protection and see if it is possible to boot the oeprating system again.


Best regards,

Allan


0 Kudos
alpha_
Novice
2,648 Views

Hi Allan,

 

I tested again, also put "Windows Boot Manager" on top of boot order - same problem.

Have you really tested with two internal M.2 NVMEs in VROC RAID1 configuration? See my details above.

I think this might be causing the problem:

If "Pre-boot DMA Protection" is OFF, everything is fine and in BIOS the VROC volume status is "Normal", Bootable: "Yes".

But as soon as I turn "Pre-boot DMA Protection" ON, the system fails to boot and BIOS also shows the VROC volume status as "Failed", Bootable: "No".

See attached screenshots.

 

Best regards,

Anguel

0 Kudos
Allan_A_Intel
Moderator
2,625 Views

Hello, alpha_,


Thank you for the screenshots. Allow me to double check. I will contact you again soon.


Best regards,


0 Kudos
Allan_A_Intel
Moderator
2,468 Views

Hello, alpha_,


Thank you again for waiting. I tried once more, and this time I was able to replicate the issue in a lab. I searched for any information that might explain why it happens, and I have confirmed that currently the VROC driver does not support enabling pre-boot DMA.


I cannot confirm when and if it will be supported, but at the moment you can only use the VROC driver by disabling pre-boot DMA.


Best regards,

Allan


0 Kudos
alpha_
Novice
2,450 Views

Hi Allan,

Thank you for the confirmation. This is really disappointing. We actually decided to buy Intel secured-core certified servers to make sure that they support all the latest security technologies.

Regarding "Secured Core Server" I still cannot find any Intel document describing the BIOS settings required to enable this feature in Windows Server 2022. How is it possible to get certification but not even say a thing about the required settings?

Any information regarding the settings is welcome. Thanks.

Best regards,

Anguel

0 Kudos
Allan_A_Intel
Moderator
2,378 Views

Hello, alpha_,


The security is enabled by enabling pre-boot DMA. 


It is the VROC driver that does not support enabling pre-boot DMA. If Windows is installed in a non-RAID environment, pre-boot DMA can be enabled.


Best regards,

Allan


0 Kudos
Reply