Server Products
Data Center Products including boards, integrated systems, Intel® Xeon® Processors, RAID Storage, and Intel® Xeon® Processors
4991 Discussions

S2600CW Server Board Bios R01.01.0009 UEFI Secure Boot Question

SWard4
Novice
3,053 Views

Hi folks:

I was going to upgrade my S2600CWTS board to Bios R01.01.00009 which was release a few weeks ago, but in the section marked "IMPORTANT NOTICE" point # 5 says this:

5. BIOS R01.01.0009 will enable UEFI Secure Boot and include below limitations:

- Please read "BIOS UEFI SECURE BOOT IMPACT AND MITIGATION METHOD" section in this

BIOS release notes

- All customer settings saved in BIOS NVRAM will be lost after new BIOS upgrade.

- BIOS downgrade is not allowed if user has enabled BIOS secure boot. All customer

setting will be lost also if downgrade to previous BIOS release.

- Backup BIOS region is also required to be updated to prevent recovery failure

please use release package to update BIOS.

- There is downgrade hang risk if you don't follow above rules.

- Further BIOS release will not suffer from these side effects as the NVRAM region

is formatted as authenticated variable storage

I need some clarification about what "enable UEFI Secure Boot" means. I'm running ESXi 6 and don't have secure boot enabled. Does this mean that if I apply this BIOS update that I won't be able to turn off secure boot and will have to reinstall ESXi? Also, does it mean that I can't legacy boot from a CD or USB stick any longer? If that's the case, then I'm stuck at the current BIOS level.

Can someone please give some details about what this means relative to how the previous Bios versions operated?

Thanks.

0 Kudos
1 Solution
DSilv11
Valued Contributor III
2,142 Views

EFI Secure boot vs Legacy boot.

If you have not enabled EFI boot (and very few have yet, it is still kind of new), that bullet point does not apply.

If in the future you decide to rebuild the server using EFI secure Boot, then you would need to be careful about trying to flash the BIOS down to a lower level in the future. It is a corner case, but need to be covered in the release notes.

The bigger issue for most customers is the NVRAM table update.

Any customized BIOS setting you may have already set will be restored to the defaults and need to be set again

(This does not impact BMC settings in BIOS set-up and sometimes it is difficult to tell if a setting if BIOS or BMC. )

(Pretty much anything in the server management tab is BMC )

If in doubt, i would download the SYSCFG tool and use it to save your current BIOS setting to an file called syscfg.ini. (syscfg /save)

The rename it Old.ini.

After flashing the new BIOS run syscfg /save again to save a syscfg.ini of the new BIOS settings.

You can open the .ini files in a text viewer (notepad or beyondcompare work well) and see what values need to be changed back.

Unfortunately, syscfg will not restore the setting for you across the BIOS level change so you need to do it manually.

The STARTUP.nsh script file takes care of loading the back-up bios automatically. Don't panic after the first reboot. The back-up BIOS updates in the background on the reboot and it will cause the screen to stay blank for about 3 minutes while the update is occurring.

Last piece on Secure Boot.

If you decide to enable EFI secure boot some time in the future, you would need to install a EFI Boot OS. Your legacy loaded OS would not be recognize and only devices formatted to EFI would be viable pre-OS. a FAT32 USB keys would not be, but you can format a USB key to EFI if desired.

View solution in original post

3 Replies
DSilv11
Valued Contributor III
2,143 Views

EFI Secure boot vs Legacy boot.

If you have not enabled EFI boot (and very few have yet, it is still kind of new), that bullet point does not apply.

If in the future you decide to rebuild the server using EFI secure Boot, then you would need to be careful about trying to flash the BIOS down to a lower level in the future. It is a corner case, but need to be covered in the release notes.

The bigger issue for most customers is the NVRAM table update.

Any customized BIOS setting you may have already set will be restored to the defaults and need to be set again

(This does not impact BMC settings in BIOS set-up and sometimes it is difficult to tell if a setting if BIOS or BMC. )

(Pretty much anything in the server management tab is BMC )

If in doubt, i would download the SYSCFG tool and use it to save your current BIOS setting to an file called syscfg.ini. (syscfg /save)

The rename it Old.ini.

After flashing the new BIOS run syscfg /save again to save a syscfg.ini of the new BIOS settings.

You can open the .ini files in a text viewer (notepad or beyondcompare work well) and see what values need to be changed back.

Unfortunately, syscfg will not restore the setting for you across the BIOS level change so you need to do it manually.

The STARTUP.nsh script file takes care of loading the back-up bios automatically. Don't panic after the first reboot. The back-up BIOS updates in the background on the reboot and it will cause the screen to stay blank for about 3 minutes while the update is occurring.

Last piece on Secure Boot.

If you decide to enable EFI secure boot some time in the future, you would need to install a EFI Boot OS. Your legacy loaded OS would not be recognize and only devices formatted to EFI would be viable pre-OS. a FAT32 USB keys would not be, but you can format a USB key to EFI if desired.

SWard4
Novice
2,142 Views

Thanks for the info. After this bios update are you saying that once I turn UEFI on, I can't turn it off to boot CD or USB Key if necessary? Other BIOSs I've worked with allow one to just turn of UEFI if you want to boot from a USB or CD.

DSilv11
Valued Contributor III
2,142 Views

If you enable the uefi secure boot, it will still boot to any uefi formatted media.

I have not tried to disabling it after you get the OS loaded when i wanted to keep the OS.

Its kind of like messing with a RAID controller after making your RAID. OK if you know what you are doing, but best avoided.

If you do disable, any media will be recognized again,

The only issue is if you try to down grade the BIOS for some reason after you enabled the secure boot

Never figured out any reason a person would down grade unless they just like known bugs.

0 Kudos
Reply