Secure Endpoint FPGA Firmware on UCS 6400 Fabric Interconnects

Available Languages

Download Options

  • PDF     (281.4 KB)
    View with Adobe Reader on a variety of devices
  • ePub     (333.1 KB)
    View in various apps on iPhone, iPad, Android, Sony Reader, or Windows Phone
  • Mobi (Kindle)     (222.4 KB)
    View on Kindle device or Kindle app on multiple devices
Updated:December 2, 2021
Document ID:217041

Bias-Free Language

The documentation set for this product strives to use bias-free language. For the purposes of this documentation set, bias-free is defined as language that does not imply discrimination based on age, disability, gender, racial identity, ethnic identity, sexual orientation, socioeconomic status, and intersectionality. Exceptions may be present in the documentation due to language that is hardcoded in the user interfaces of the product software, language used based on RFP documentation, or language that is used by a referenced third-party product. Learn more about how Cisco is using Inclusive Language.

    Introduction

    This document describes how to enable secure Field-Programmable Gate Array (FPGA) on 6400 Fabric Interconnects (FIs).

    Problem

    In Unified Computing System Manager (UCS Manager) upgrades to Release 4.1(3) or later on 6400 (4th Generation) FIs, customers will see this major error:

    Secure Endpoint FPGA Firmware on UCS 6400 Fabric Interconnects - Endpoint FPGA Firmware Unsecured Error

    Description: Endpoint FPGA firmware Unsecured.
Fault Code: F2023

    This is a new feature in response to a known secure boot vulnerability where golden regions of the FPGA could have code injected or modified, which essentially defeats secure boot.

    Solution

    This is an expected message when you upgrade to Release 4.1(3) or later on 6400 Series FIs. It might only occur on one or both FIs, and depends on the code they originally shipped with.

    There is no risk to production other than the reduced security. This can be delayed until the next planned maintenance window.

    The FPGA can be secured and the error cleared with these steps via an SSH session or in the UCS Manager GUI.

    Note: This will require a reboot of each FI. It is recommended to do this in a service window.

    SSH Session

    1. Open a SSH session to the domain. The cluster IP address or either FI's IP address will work. 
      UCS-A# scope fabric-interconnect a
UCS-A /fabric-interconnect# activate secure-fpga
UCS-A/fabric-interconnect*# commit-buffer

      Note: The FI will reboot after a short delay. Do not manually reboot the FI!

    2. Repeat this process on the B FI. 
      UCS-B# top
UCS-B# scope fabric-interconnect b
UCS-B /fabric-interconnect# activate secure-fpga
UCS-B/fabric-interconnect*# commit-buffer

      Note: The FI will reboot after a short delay. Do not manually reboot the FI!

      The Endpoint FPGA firmware unsecured error should now be in the cleared state.

    UCS Manager Web UI

    1. In the Navigation pane, choose Equipment > Fabric Interconnects > Fabric_Interconnect_Name.
    2. In the Work pane, click the General tab.
    3. In the Actions area of the General tab, click Install Secure FPGA.

      Secure Endpoint FPGA Firmware on UCS 6400 Fabric Interconnects - UCS Manager GUI Install Secure FPGA

    4. In the dialog box, click OK.
    5. Click Yes in the warning message for Cisco UCS Manager to restart the FI, log you out, and disconnect the Cisco UCS Manager GUI.

      Secure Endpoint FPGA Firmware on UCS 6400 Fabric Interconnects - Install Secure FPGA Confirmation

      Note: The FI will reboot after a short delay. Do not manually reboot the FI!

      If you do not see the "Install Secure FPGA" option, clear your browser cache or use a private browsing session.

    For more information about the Secure FPGA upgrade, see Release Notes for Cisco UCS Manager, Release 4.1.

    Revision History

    Revision Publish Date Comments
    2.0
    02-Dec-2021
    Updated the Introduction section.
    1.0
    14-Apr-2021
    Initial Release
    TAC Authored

    Contributed by Cisco Engineers

    • Alberto J Fedeli
      Cisco TAC Engineer
    • Justin Pierce
      Cisco TAC Engineer

    Was this Document Helpful?

    FeedbackFeedback

    Contact Cisco

    This Document Applies to These Products