Intel TXT Validation Tool Has Error With Secure Boot Enabled - Lenovo Flex System x240 M5 Compute Node (2591, 9532)

Troubleshooting

Problem

Intel has a set of Trusted Execution Technology (TXT) validation tools which users can download using Intel 's Business Link (IBL) 488367. The suite of tools validates TXT operation using a collection of shell commands which are also documented in a pdffile within the same IBL.

Resolving The Problem

Source

RETAIN Tip:H213567

Symptom

One (1) of the tools used is getsec64.efi. With Unified Extensible Firmware Interface (UEFI) Secure Boot off, it runs without issue. With Secure Boot enabled, it requires the user to sign with the same certificate used to sign UEFI Shell, but then returns an error 'SINIT ACM does not match'.

Affected Configurations

The system may be any of the following IBM servers:

Flex System x240 M5 Compute Node, Type 2591, any model, any AC1
Flex System x240 M5 Compute Node, Type 9532, any model, any AC1

This tip is not software specific.

This tip is not option specific.

The getsec64.efi utility is affected.

The following system BIOS/uEFI level(s) are affected: CVE103DUS (test build) CVE104DUS (production level)

The system has the symptom described above.

Solution

This is a permanent restriction, there will be no solution.

Workaround

Run the tool with Secure Boot disabled.

Document Location

Worldwide

Operating System

Lenovo x86 servers:Operating system independent / None

[{"Type":"HW","Business Unit":{"code":"BU016","label":"Multiple Vendor Support"},"Product":{"code":"QUOFHL2","label":"Lenovo x86 servers->Lenovo x240 M5 Compute Node->9532"},"Platform":[{"code":"PF025","label":"Platform Independent"}],"Line of Business":{"code":"","label":""}},{"Type":"HW","Business Unit":{"code":"BU016","label":"Multiple Vendor Support"},"Product":{"code":"QUOFI1N","label":"Lenovo x86 servers->Lenovo x240 M5 Compute Node->2591"},"Platform":[{"code":"PF025","label":"Platform Independent"}],"Line of Business":{"code":"","label":""}}]

Tips