XCP-ng
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Groups
    • Register
    • Login

    UEFI Bootloader and KB5012170

    Scheduled Pinned Locked Moved Solved Compute
    7 Posts 5 Posters 2.5k Views 3 Watching
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • christopher-petzelC Offline
      christopher-petzel
      last edited by

      I'm attempting to determine if a problem I'm having with installing Windows 10 update KB5012170 is related to the UEFI bootloader used by the VM.

      XCP-ng version is 8.2.1 and is nearly fully patched (have not installed 4.13.4-9.24.1.xcpng8.2 yet).

      I started noticing 4 Windows 10 VMs (on separate hosts) rebooting every night for the past 5 days and found that KB5012170 was not installing because of error 0x800f0922. I've found that this is probably because of the UEFI bootloader now being in the Secure Boot DBX (Forbidden Signature Database). I'm basing this on this this article: https://www.bleepingcomputer.com/news/security/windows-kb5012170-secure-boot-dbx-update-may-fail-with-0x800f0922-error/

      Apparently if the UEFI bootloader is signed by keys from one of three vendors (New Horizon Datasys Inc, CryptoPro Secure Disk, Eurosoft (UK) Ltd) then KB5012170 will fail to install with error 0x800f0922 because these signatures have been blacklisted.

      I know the VMs are using the TianoCore UEFI implementation. I've looked at the TianoCore bugtracker but didn't find anything related - although if issue is in fact caused by Microsoft blacklisting the signature, I don't know that would even be a bug, per se.

      christopher-petzelC 1 Reply Last reply Reply Quote 0
      • christopher-petzelC Offline
        christopher-petzel @stormi
        last edited by

        Secure Boot was not enabled in the VM. I enabled Secure Boot in the VM and was able to install KB5012170 without any problem.

        I tested further to see if there were any issues related to enabling then disabling Secure Boot in the VM. I did not experience any problems booting the VM after disabling Secure Boot. There were no problems booting the VM after moving it to a pool where the default UEFI Certificates had not been installed.

        For anyone wanting to resolve the KB5012170 update error, here are the steps I took:

        • On the pool/host for the VM, install the UEFI Certificates with secureboot-certs install
        • Shut down the problem VM
        • Enable Secure Boot on the VM. I do this via Xen Orchestra but it can also be done with xe vm-param-set uuid=[uuid of VM] platform:secureboot=true
        • Boot the VM
        • Apply the KB5012170 update
        • Shut down the VM
        • Disable Secure Boot on the VM via XO or xe vm-param-set uuid=[uuid of VM] platform:secureboot=false
        • Boot the VM

        https://xcp-ng.org/docs/guides.html#guest-uefi-secure-boot is a very thorough guide on Secure Boot in XCP-ng.

        Thanks for the help @stormi

        J capeschoolsC B 3 Replies Last reply Reply Quote 2
        • christopher-petzelC Offline
          christopher-petzel @christopher-petzel
          last edited by

          I've not been able to find information on the signature used by the UEFI bootloader and if that is on the DBX update in KB5012170. Since my original post, Microsoft has updated the Known Issues documentation for KB5012170 and it seems that this problem is now 'known' and has a proposed resolution of, "We are presently investigating and will provide an update in an upcoming release."

          So at this point, it appears Microsoft is investigating this as an issue Microsoft needs to resolve, not an issue with the bootloader itself.

          Reference: https://support.microsoft.com/en-us/topic/kb5012170-security-update-for-secure-boot-dbx-august-9-2022-72ff5eed-25b4-47c7-be28-c42bd211bb15
          (see the third issue listed in Known Issues, which didn't exist until after my initial post)

          1 Reply Last reply Reply Quote 1
          • stormiS Offline
            stormi Vates 🪐 XCP-ng Team
            last edited by

            Is SecureBoot enabled on the Windows VMs. If not, would enabling it let the update install correctly?

            See https://xcp-ng.org/docs/guides.html#guest-uefi-secure-boot about the requirements to enable secure boot.

            christopher-petzelC 1 Reply Last reply Reply Quote 0
            • christopher-petzelC Offline
              christopher-petzel @stormi
              last edited by

              Secure Boot was not enabled in the VM. I enabled Secure Boot in the VM and was able to install KB5012170 without any problem.

              I tested further to see if there were any issues related to enabling then disabling Secure Boot in the VM. I did not experience any problems booting the VM after disabling Secure Boot. There were no problems booting the VM after moving it to a pool where the default UEFI Certificates had not been installed.

              For anyone wanting to resolve the KB5012170 update error, here are the steps I took:

              • On the pool/host for the VM, install the UEFI Certificates with secureboot-certs install
              • Shut down the problem VM
              • Enable Secure Boot on the VM. I do this via Xen Orchestra but it can also be done with xe vm-param-set uuid=[uuid of VM] platform:secureboot=true
              • Boot the VM
              • Apply the KB5012170 update
              • Shut down the VM
              • Disable Secure Boot on the VM via XO or xe vm-param-set uuid=[uuid of VM] platform:secureboot=false
              • Boot the VM

              https://xcp-ng.org/docs/guides.html#guest-uefi-secure-boot is a very thorough guide on Secure Boot in XCP-ng.

              Thanks for the help @stormi

              J capeschoolsC B 3 Replies Last reply Reply Quote 2
              • J Offline
                john205 @christopher-petzel
                last edited by

                @christopher-petzel Thanks for those tips. This seemed to work well on two Windows Server 2019 VM's, but not on a Windows 10 VM which sat there saying "Preparing Automatic Repair" for ages, so I reverted back to non-secure boot.

                john

                1 Reply Last reply Reply Quote 0
                • capeschoolsC Offline
                  capeschools @christopher-petzel
                  last edited by

                  @christopher-petzel Thanks for this information I've been coming across this issue on a few 2019 servers and this worked perfectly!

                  1 Reply Last reply Reply Quote 0
                  • olivierlambertO olivierlambert marked this topic as a question on
                  • olivierlambertO olivierlambert has marked this topic as solved on
                  • B Offline
                    Berrick @christopher-petzel
                    last edited by

                    @christopher-petzel
                    Many thanks saved me from hours of searching for a fix 🙂

                    1 Reply Last reply Reply Quote 0
                    • First post
                      Last post