3 Replies Latest reply on Aug 13, 2019 8:53 AM by Chris_CCT

    ESXi 6.7 - Secure Boot and startup script

    Chris_CCT Lurker

      Hi,

       

      Hope someone may have run in to this problem before and maybe able to help.

       

      We have a customer that needs to boot with Secure Boot enabled. All works fine apart from the ability to run a simple script at startup.

      All the script does is load the ipmi_si_drv and ipmi_devintf drivers as for some reason these don't get loaded normally at start up.

       

      So we added the 2 lines to /etc/rc.local.d/local.sh, which works fine in legacy mode, but doesn't get run if Secure Boot is enabled. This is a design feature as you don't want to be running

      unverified software/commands.

       

      So my questions are:-

       

      1) Does anyone know how I could get around this without creating our own .vib that would would need signing by VMware, as this is changing system file (/etc/rc.local) that at Community Supported Level, is not covered? From what I understand VIB author is deprecated.

       

      or ideally

       

      2) Know why ipmi_si_drv and ipmi_devintf aren't loaded at boot time even though ipmiEnabled is set to TRUE?

       

      Many thanks in advance.

       

      BR,

      Chris

        • 1. Re: ESXi 6.7 - Secure Boot and startup script
          continuum Guru
          Community WarriorsvExpertUser Moderators

          Did you check your boot.cfg file yet ?

          Do you see any messages in the vmkernel.log about those modules ?

          • 2. Re: ESXi 6.7 - Secure Boot and startup script
            Chris_CCT Lurker

            Thanks for getting back to me.

             

            boot.cfg is as installed. I can see the following in the 'modules=' line:-

             

            --- ipmi_ipm.v00 --- ipmi_ipm.v01 --- ipmi_ipm.v02

             

            Below are entries from vmkernel.log with regard ipmi. As you can see the module ipmi fails to load due to SMIC BMC SI not supported:-

             

            2019-08-07T08:36:45.181Z cpu0:2097152)VisorFSTar: 1856: ipmi_ipm.v00 for 0xa368 bytes

            2019-08-07T08:36:45.181Z cpu0:2097152)VisorFSTar: 1856: ipmi_ipm.v01 for 0x14b68 bytes

            2019-08-07T08:36:45.182Z cpu0:2097152)VisorFSTar: 1856: ipmi_ipm.v02 for 0x198b0 bytes

             

             

            2019-08-07T08:37:05.968Z cpu0:2097648)Activating Jumpstart plugin ipmi.

            2019-08-07T08:37:06.012Z cpu7:2098370)Loading module ipmi ...

            2019-08-07T08:37:06.013Z cpu7:2098370)Elf: 2101: module ipmi has license VMware

            2019-08-07T08:37:06.019Z cpu7:2098370)ipmi: SMBIOS IPMI Entry: Address: 0xca8, System Interface: 3, Alignment: 1, Map Type: 0

            2019-08-07T08:37:06.019Z cpu7:2098370)WARNING: ipmi: IpmiSysInt_Init:61: ipmi: The SMIC BMC System Interface is not supported. Error: Not supported

            2019-08-07T08:37:06.019Z cpu7:2098370)WARNING: ipmi: IpmiDriver_Init:205: ipmi: Failed to initialize IPMI system interface. Error: Not supported

            2019-08-07T08:37:06.019Z cpu7:2098370)WARNING: ipmi: CreateIpmiDrivers:1246: ipmi: Failed to initialize IPMI driver. Error: Not supported

            2019-08-07T08:37:06.019Z cpu7:2098370)ipmi: No valid IPMI devices were discovered based upon PCI, ACPI or SMBIOS entries, attempting to discover IPMI devices at default locations

            2019-08-07T08:37:06.019Z cpu7:2098370)IOResource: 331: Registered resource 0x430587a6bfc0 from module 0 type 3 @ ca2 len=2

            2019-08-07T08:37:06.019Z cpu7:2098370)ipmi: KCS Port Map: Command Port: 0xca3 Data Port: 0xca2

            2019-08-07T08:37:06.019Z cpu7:2098370)WARNING: ipmi: SanityCheckStatusReg:101: ipmi: Reading the KCS Status Register produced an invalid value: 0xFF

            2019-08-07T08:37:06.019Z cpu7:2098370)WARNING: ipmi: IpmiSysIntKcs_Init:769: ipmi: Failure to inialize KCS registers. Error: Failure

            2019-08-07T08:37:06.019Z cpu7:2098370)WARNING: ipmi: IpmiDriver_Init:205: ipmi: Failed to initialize IPMI system interface. Error: Failure

            2019-08-07T08:37:06.019Z cpu7:2098370)WARNING: ipmi: CreateIpmiDrivers:1246: ipmi: Failed to initialize IPMI driver. Error: Failure

            2019-08-07T08:37:06.019Z cpu7:2098370)IOResource: 331: Registered resource 0x430587a6bfc0 from module 0 type 3 @ e4 len=3

            2019-08-07T08:37:06.019Z cpu7:2098370)WARNING: ipmi: SanityCheckRegs:111: ipmi: Reading the BT Control Register produced an invalid value: 0xFF

            2019-08-07T08:37:06.019Z cpu7:2098370)WARNING: ipmi: IpmiSysIntBt_Init:107: ipmi: Failed to initialize BT registers. Error: Failure

            2019-08-07T08:37:06.019Z cpu7:2098370)WARNING: ipmi: IpmiDriver_Init:205: ipmi: Failed to initialize IPMI system interface. Error: Failure

            2019-08-07T08:37:06.019Z cpu7:2098370)WARNING: ipmi: CreateIpmiDrivers:1246: ipmi: Failed to initialize IPMI driver. Error: Failure

            2019-08-07T08:37:06.019Z cpu7:2098370)ipmi: Failed to create any IPMI drivers

            2019-08-07T08:37:06.019Z cpu7:2098370)ipmi failed to load.

            2019-08-07T08:37:06.020Z cpu7:2098370)WARNING: Elf: 3144: Kernel based module load of ipmi failed: Failure <Mod_LoadDone failed>

            2019-08-07T08:37:06.640Z cpu2:2097648)Jumpstart plugin ipmi activation failed: ipmi->start() failed: exited with code 1

             

             

            But if I then load the ipmi_si_drv and impi_devintf manually this driver seems to initialize with the SMC interface correctly:-

             

            [root@TRE5x:/var/log] vmkload_mod ipmi_si_drv

            Module ipmi_si_drv loaded successfully

            [root@TRG4x:/var/log] vmkload_mod ipmi_devintf

            Module ipmi_devintf loaded successfully

            [root@TRG4x:/var/log]

             

             

            2019-08-07T08:42:08.399Z cpu9:2099901)Loading module ipmi_msghandler ...

            2019-08-07T08:42:08.399Z cpu9:2099901)Elf: 2101: module ipmi_msghandler has license GPL

            2019-08-07T08:42:08.400Z cpu9:2099901)module heap vmklnx_ipmi_msghandler: Initial heap size = 16384, max heap size = 9666560

            2019-08-07T08:42:08.400Z cpu9:2099901)vmklnx_module_mempool_init: Mempool max 9666560 being used for module: 4196

            2019-08-07T08:42:08.400Z cpu9:2099901)vmk_MemPoolCreate passed for 4 pages

            2019-08-07T08:42:08.400Z cpu9:2099901)module heap vmklnx_ipmi_msghandler: using memType 0

            2019-08-07T08:42:08.400Z cpu9:2099901)module heap vmklnx_ipmi_msghandler: creation succeeded. id = 0x4308529a3000

            2019-08-07T08:42:08.400Z cpu9:2099901)<6>ipmi message handler version 39.2-6vmw

            2019-08-07T08:42:08.400Z cpu9:2099901)Mod: 4962: Initialization of ipmi_msghandler succeeded with module ID 4196.

            2019-08-07T08:42:08.400Z cpu9:2099901)ipmi_msghandler loaded successfully.

            2019-08-07T08:42:08.400Z cpu9:2099901)Loading module ipmi_si_drv ...

            2019-08-07T08:42:08.400Z cpu9:2099901)Elf: 2101: module ipmi_si_drv has license GPL

            2019-08-07T08:42:08.401Z cpu9:2099901)module heap vmklnx_ipmi_si_drv: Initial heap size = 16384, max heap size = 9666560

            2019-08-07T08:42:08.401Z cpu9:2099901)vmklnx_module_mempool_init: Mempool max 9666560 being used for module: 4197

            2019-08-07T08:42:08.401Z cpu9:2099901)vmk_MemPoolCreate passed for 4 pages

            2019-08-07T08:42:08.401Z cpu9:2099901)module heap vmklnx_ipmi_si_drv: using memType 0

            2019-08-07T08:42:08.401Z cpu9:2099901)module heap vmklnx_ipmi_si_drv: creation succeeded. id = 0x4308532de000

            2019-08-07T08:42:08.401Z cpu9:2099901)<6>IPMI System Interface driver.

            2019-08-07T08:42:08.401Z cpu9:2099901)PCI: driver ipmi_si is looking for devices

            2019-08-07T08:42:08.401Z cpu9:2099901)PCI: driver ipmi_si claimed 0 device

            2019-08-07T08:42:08.401Z cpu9:2099901)<6>ipmi_si: No BMC IRQ configured in SMBIOS. Operating in polling mode

            2019-08-07T08:42:08.401Z cpu9:2099901)<6>ipmi_si: probing via SMBIOS

            2019-08-07T08:42:08.401Z cpu9:2099901)<6>ipmi_si: SMBIOS: io 0xca9 regsize 1 spacing 1 irq 0

            2019-08-07T08:42:08.401Z cpu9:2099901)<6>ipmi_si: Adding SMBIOS-specified smic state machine

            2019-08-07T08:42:08.401Z cpu9:2099901)<6>ipmi_si: Trying SMBIOS-specified smic state machine at i/o address 0xca9, slave address 0x20, irq 0

            2019-08-07T08:42:08.875Z cpu9:2099901)<6>ipmi_si ipmi_si.0: Found new BMC (man_id: 0x  005f4a,  prod_id: 0xa011, dev_id: 0x 00)

            2019-08-07T08:42:08.875Z cpu9:2099901)<6>ipmi_si ipmi_si.0: IPMI smic interface initialized

            2019-08-07T08:42:08.875Z cpu9:2099901)Mod: 4962: Initialization of ipmi_si_drv succeeded with module ID 4197.

            2019-08-07T08:42:08.875Z cpu9:2099901)ipmi_si_drv loaded successfully.

            2019-08-07T08:42:13.643Z cpu20:2099929)Loading module ipmi_devintf ...

            2019-08-07T08:42:13.643Z cpu20:2099929)Elf: 2101: module ipmi_devintf has license GPL

            2019-08-07T08:42:13.644Z cpu20:2099929)module heap vmklnx_ipmi_devintf: Initial heap size = 16384, max heap size = 9666560

            2019-08-07T08:42:13.644Z cpu20:2099929)vmklnx_module_mempool_init: Mempool max 9666560 being used for module: 4198

            2019-08-07T08:42:13.644Z cpu20:2099929)vmk_MemPoolCreate passed for 4 pages

            2019-08-07T08:42:13.644Z cpu20:2099929)module heap vmklnx_ipmi_devintf: using memType 0

            2019-08-07T08:42:13.644Z cpu20:2099929)module heap vmklnx_ipmi_devintf: creation succeeded. id = 0x430853c19000

            2019-08-07T08:42:13.644Z cpu20:2099929)<6>ipmi device interface

            2019-08-07T08:42:13.644Z cpu20:2099929)Mod: 4962: Initialization of ipmi_devintf succeeded with module ID 4198.

            2019-08-07T08:42:13.644Z cpu20:2099929)ipmi_devintf loaded successfully.

             

            Is there anything I can add to boot.cfg to load the above driver automatically?

             

            Many thanks,

            Chris

            • 3. Re: ESXi 6.7 - Secure Boot and startup script
              Chris_CCT Lurker

              Hi,

               

              Can anyone help with the above or anyone got a copy of VIB author so I can create my own signed .vib file?

               

              Many thanks,

              Chris