Secure Boot failure on ESXi 7.0 U3 - Solved

At the beginning of April, an ice storm hit Quebec and caused power outages lasting several days, particularly in areas with older trees where utility lines are not underground. When I started my ESXi host after 5 days offline, I ran into an error I've never seen before:

The system has found a problem on your machine and cannot continue. UEFI Secure Boot Failed

It seemed like all of the VIBs were now failing UEFI Secure Boot validation.

My first instinct was that due to an unclean shutdown, data on the boot volume was corrupted, and a reinstall would be required. The voice of my VMware TAM was in the back of my mind: I'm running non-HCL hosts, with NVMe SSDs not on the VSAN HCL, I should be thankful this works at all. And he's right. And I am. 

However, I'm happy to report this had a quick fix: while goofing around in the BIOS to see how I could bypass Secure Boot and load ESXi, I noticed that my system clock had rolled back to 2017! As it turns out, I had been foiled by a $1 CR2032 battery meant to keep time while the board is not connected to power. By setting the clock to the correct date, I was able to boot ESXi normally.

So why did this happen? 

To understand, we need to know a bit about Secure Boot:
Secure boot is a security standard developed by members of the PC industry to help make sure that a device boots using only software that is trusted by the Original Equipment Manufacturer (OEM). When the PC starts, the firmware checks the signature of each piece of boot software, including UEFI firmware drivers (also known as Option ROMs), EFI applications, and the operating system. If the signatures are valid, the PC boots, and the firmware gives control to the operating system.
This means that each component in the boot "chain" from the computer firmware to the OS/drivers is digitally signed, and must validate the signature of the next step before proceeding. In this case, we were able to partially boot, but when it came time to load the VIBs from ESXi 7.0U3, the signature check failed, causing the error screen shown in the picture. 

I haven't inspected the signatures myself, but the most likely explanation is that the beginning of the certificate validity (the "NotBefore"), from the perspective of the machine who believed it was 2017, was in the future. Correcting the date in the BIOS allowed the certificate validation to pass and load ESXi. I've since changed the CMOS batteries on all of my homelab devices and hopefully won't have to think about this for another 3-4 years.

Comments

Post a Comment

Popular posts from this blog

MikroTik CRS309-1G-8S+IN in 2023

Image
In late 2019, ServeTheHome  reviewed  the MikroTik  CRS309-1G-8S+IN . TL;DR  it's an 8x SFP+, 1x 1G RJ45 managed switch that retails around $350 CAD. When these came out, nothing else on the market came close on cost per port, even unmanaged. STH called it an "absolutely great buy". In 2021 I picked the CRS309 as the 10G backbone for my new home network and vSphere lab. Out of the box, running RouterOS 6, it did everything I needed at the time: I wanted a 10G switch to play with VSAN, upgrade my NAS to 10G, and a few ports for future projects. I set it up and basically forgot about it. The CRS309 was a slam dunk then and I'm still happy with my decision. Is the CRS309 still a good buy in 2023?   There are now at least two other affordable fanless ~8 port 10G managed switches: TP-Link TL-SX3008F : 8 SFP+, works with or without their Omada controller. $299 CAD Ubiquiti  USW-Aggregation : 8 SFP+, requires a UniFi controller. $359 CAD They'll do VLANs, ACLs, probabl
Read more

ADFS RelayState (IdP-initiated sign-on deep links)

The university, as part of its digital strategy initiative, is pushing harder than ever for SSO across its major services. Part of this means standardizing on an IdP infrastructure to tie everything into, and for a lot of reasons (future post) we chose ADFS. Recently a service provider asked us if, since we are working this way with our Shibboleth IdP now, we can provide a deep link on the IdP domain that will redirect to the SP after the authentication flow. I figured it was possible, but it was the first time we had to think about this with ADFS. Turns out it's quite easy, at least on ADFS v5 (Server 2019). I'm probably explaining this wrong, but in SAML parlance the flow where the user connects to the IdP first and then gets punted to an SP is called RelayState, and typically it is triggered by appending a query string to the IdP-initiated sign-on page. First, enable IdP-initiated sign-on if you haven't already: Set-AdfsProperties -EnableIdpInitiatedSignonPage $tr
Read more