- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi,
I installed Windows Server 2022 on M50CYP. Everything works fine and Secure Boot is enabled.
Now, if I enable "Pre-boot DMA Protection" in BIOS (v01.01.0007) the OS cannot boot anymore. It goes directly to the network boot options.
Is this a known issue and is there any solution?
Thanks,
Anguel
Link Copied
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hello, alpha_,
Thank you for reaching Intel Communities. I will gladly help you.
I couldn't confirm right away any issue related to DMA and the Intel® Server Board M50CYP with the latest BIOS, and I see that Windows* Server 2022 should support it as well.
Please allow me some time to research and try to find out the cause of the issue.
Best regards,
Allan
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi Allan,
in ReleaseNotes_BIOS_R01.01.0007.txt there is some DMA issue listed, however I do not understand if it may apply to my problem:
13.[Hsd-ES]:[2103654290] Error is prompted when create RAID volume if enable pre-boot DMA protection option
Indeed I am using a RAID1 VROC with two internal M.2 NVMEs for the Win Server 2022 OS (boot) volume. I created the volume without having pre-boot DMA protection enabled.
Also, although the M50CYP is certified for Server 2022 Secured Core and this was one of the main reasons we decided to buy this server, I did not find any official Intel document stating the BIOS settings required to enable all Secured Core features, and they are everything but trivial. Fortunately, with a lot of searching I could find some information from Lenovo that allowed me to enable secured core on the M50CYP:
Make sure the following UEFI settings are enabled in order to enable secured-core features:
System Settings -> Security -> Secure Boot Configurations -> Secure Boot Settings
System Settings -> Security -> Secure Boot Configurations -> Trusted Platform Module -> TPM 2.0
System Information -> Socket Configuration -> Processor Configuration -> Enable Intel TXT
System Setting -> Devices and I/O Ports -> Intel VT for Directed I/O (VT-d)
System Setting -> Devices and I/O Ports -> DMA Control Opt-In Flag
Can Intel please confirm that this also applies to M50CYP?
But again, as soon as I turn on "Pre-boot DMA protection" in BIOS, the server does not boot to Windows anymore.
Any help is welcome.
Best regards,
Anguel
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hello, alpha_,
Thank you for your patience. I tried this scenario in a lab with the same board and operating system, and I wasn't able to replicate the issue. The operating system booted even after enabling the pre-boot DMA protection.
Just to be sure, please verify the boot order, and test the system by disabling the pre-boot DMA protection and see if it is possible to boot the oeprating system again.
Best regards,
Allan
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi Allan,
I tested again, also put "Windows Boot Manager" on top of boot order - same problem.
Have you really tested with two internal M.2 NVMEs in VROC RAID1 configuration? See my details above.
I think this might be causing the problem:
If "Pre-boot DMA Protection" is OFF, everything is fine and in BIOS the VROC volume status is "Normal", Bootable: "Yes".
But as soon as I turn "Pre-boot DMA Protection" ON, the system fails to boot and BIOS also shows the VROC volume status as "Failed", Bootable: "No".
See attached screenshots.
Best regards,
Anguel
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hello, alpha_,
Thank you for the screenshots. Allow me to double check. I will contact you again soon.
Best regards,
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hello, alpha_,
Thank you again for waiting. I tried once more, and this time I was able to replicate the issue in a lab. I searched for any information that might explain why it happens, and I have confirmed that currently the VROC driver does not support enabling pre-boot DMA.
I cannot confirm when and if it will be supported, but at the moment you can only use the VROC driver by disabling pre-boot DMA.
Best regards,
Allan
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi Allan,
Thank you for the confirmation. This is really disappointing. We actually decided to buy Intel secured-core certified servers to make sure that they support all the latest security technologies.
Regarding "Secured Core Server" I still cannot find any Intel document describing the BIOS settings required to enable this feature in Windows Server 2022. How is it possible to get certification but not even say a thing about the required settings?
Any information regarding the settings is welcome. Thanks.
Best regards,
Anguel
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hello, alpha_,
The security is enabled by enabling pre-boot DMA.
It is the VROC driver that does not support enabling pre-boot DMA. If Windows is installed in a non-RAID environment, pre-boot DMA can be enabled.
Best regards,
Allan
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Printer Friendly Page