Cannot enable secure boot on host upgraded to ESXi 6.7
Article ID: 301188
Updated On:
Products
VMware vSphere ESXi
Issue/Introduction
You see an error while upgrading an ESXi host from 6.0 Patch 06 to 6.7 GA, and attempting to enable secure boot on that host.
If the error indicates that this problem is caused by ipmi-ipmi-devintf, ipmi-ipmi-si-drv or ipmi-ipmi-msghandler VIBs, you can remove these VIBs without complications.
If the error indicates that this problem is caused by ipmi-ipmi-devintf, ipmi-ipmi-si-drv or ipmi-ipmi-msghandler VIBs, you can remove these VIBs without complications.
Environment
VMware vSphere ESXi 6.7
Resolution
1. Upgrade to ESXi 6.7 with an ISO. Secure boot is not supported if you used ESXCLI for the upgrade.
2. After the upgrade, run the secure boot verification script to identify any problems. A warning about ipmi-ipmi-devintf, ipmi-ipmi-si-drv and/or ipmi-ipmi-msghandler results.
[root@localhost:~] /usr/lib/vmware/secureboot/bin/secureBoot.py -c
Secure boot CANNOT be enabled: Failed to verify signatures of the following vib(s): [ipmi-ipmi-devintf, ipmi-ipmi-si-drv and ipmi-ipmi-msghandler]. All tardisks validated. All acceptance levels validated
3. Remove ipmi-ipmi-devintf, ipmi-ipmi-si-drv and ipmi-ipmi-msghandler VIBs.
a. To remove all the VIBs together, run:
esxcli software vib remove -n ipmi-ipmi-devintf -n ipmi-ipmi-si-drv -n ipmi-ipmi-msghandler
b. To remove the VIBs individually, run:
[root@ localhost:~] esxcli software vib remove -n ipmi-ipmi-devintf
Removal Result
Message: The update completed successfully, but the system needs to be rebooted for the changes to be effective.
Reboot Required: true
VIBs Installed:
VIBs Removed: VMW_bootbank_ipmi-ipmi-devintf_39.1-4vmw.670.0.0.8169922
VIBs Skipped:
[root@ localhost:~] esxcli software vib remove -n ipmi-ipmi-si-drv
Removal Result
Message: The update completed successfully, but the system needs to be rebooted for the changes to be effective.
Reboot Required: true
VIBs Installed:
VIBs Removed: VMW_bootbank_ipmi-ipmi-si-drv_39.1-4vmw.670.0.0.8169922
VIBs Skipped:
[root@ localhost:~] esxcli software vib remove -n ipmi-ipmi-msghandler
Removal Result
Message: The update completed successfully, but the system needs to be rebooted for the changes to be effective.
Reboot Required: true
VIBs Installed:
VIBs Removed: VMW_bootbank_ipmi-ipmi-msghandler_39.1-4vmw.670.0.0.8169922
VIBs Skipped:
esxcli software vib remove -n ipmi-ipmi-devintf -n ipmi-ipmi-si-drv -n ipmi-ipmi-msghandler
b. To remove the VIBs individually, run:
[root@ localhost:~] esxcli software vib remove -n ipmi-ipmi-devintf
Removal Result
Message: The update completed successfully, but the system needs to be rebooted for the changes to be effective.
Reboot Required: true
VIBs Installed:
VIBs Removed: VMW_bootbank_ipmi-ipmi-devintf_39.1-4vmw.670.0.0.8169922
VIBs Skipped:
[root@ localhost:~] esxcli software vib remove -n ipmi-ipmi-si-drv
Removal Result
Message: The update completed successfully, but the system needs to be rebooted for the changes to be effective.
Reboot Required: true
VIBs Installed:
VIBs Removed: VMW_bootbank_ipmi-ipmi-si-drv_39.1-4vmw.670.0.0.8169922
VIBs Skipped:
[root@ localhost:~] esxcli software vib remove -n ipmi-ipmi-msghandler
Removal Result
Message: The update completed successfully, but the system needs to be rebooted for the changes to be effective.
Reboot Required: true
VIBs Installed:
VIBs Removed: VMW_bootbank_ipmi-ipmi-msghandler_39.1-4vmw.670.0.0.8169922
VIBs Skipped:
4. Check compatibility again.
[root@localhost:~] /usr/lib/vmware/secureboot/bin/secureBoot.py -c
Secure boot can be enabled: All vib signatures verified. All tardisks validated. All acceptance levels validated
5. Reboot and enable secure boot from the UEFI firmware interface.
[root@localhost:~] /usr/lib/vmware/secureboot/bin/secureBoot.py -c
Secure boot can be enabled: All vib signatures verified. All tardisks validated. All acceptance levels validated
5. Reboot and enable secure boot from the UEFI firmware interface.
Additional Information
lsu-lsi-mptsas-plugin VIB can cause the same warning in ESXi 6.5. For more information, see Cannot enable secure boot on ESXi 6.5 host that was upgraded (2147606)
Feedback
Yes
No
Powered by
