I’m building an ESXI host to use as a homelab. I’d like to purchase an Intel I350 NIC, but I am a little paranoid about firmware security and secure boot. Does this NIC support secure boot? If so, will I need to add a new public key in the bios?
Secure Boot is a UEFI feature that validates the bootloader, OS, and drivers each time the system boots. That validation takes place between the UEFI firmware and a TPM module (or the 5700X’s fTPM in your case) to verify the digital signatures of software, but does not extend to checking the firmware on devices such as NICs, HBAs, or IPMI cards. The software drivers for the NIC will however be digitally signed and validated on boot when Secure Boot is enabled.
ESXi can use the Microsoft DB key preinstalled by Gigabyte rather than manually importing VMWare’s. And it’s actually the easier option as you won’t have to reimport keys after each BIOS update.
The last time I tried to install ESXi on consumer hardware it did not have device drivers for a lot of hardware on B450. Maybe you’ll have better luck than I did.
I have an I350-T2 in my PC, no issue with secure boot for both Windows 10 and ESXi. You might have to flash the firmware on the I350 to the latest version, but it’s not too difficult.
A word of caution though, ESXi doesn’t have driver support for Realtek NICs if your board has it.
Are we certain this is true for this particular board? UEFI Secure Boot as a specification does not require a TPM from what I know, though it could certainly be used on a particular boards Secure Boot implementation.
I’m using the term “firmware” loosely. As far as I know, the only thing that is updateable on the I350 is the option ROM, which is validated as part of the secure boot process. Do you know of any other code that could be easily written to the NIC that wouldn’t be checked by secure boot?
Hey, fTPM is a feature of all the modern new CPUs and intel has their own version of it
It should not be vendor locked, and I think it should be availlable modern CPU’s
Unless the OEM has decided to lock it out, but I am not aware of instances where this has happened
I am not doubting that the TPM is accessible by the OS, I am saying that its presence or being enabled does not necessarily mean that the UEFI firmware is making use of it for its Secure Boot implementation.
Option ROM contains code to be run by the CPU; there could be firmware for the card itself, meant to run on the NIC/GPU’s own processing cores.
The BCM5719 contains four MIPS RX CPUs, one for each PCI function (port); it also contains a single “APE” core, which is a little-endian ARM CPU.
I, sadly, do not know if the Intel i350 has these kinds of separate cores with their own firmware; however, if the card’s cores have their own firmware, I am fairly confident that such firmware is not validated by TPM and/or UEFI.
Question about firmware updates for the I350-T4: With other Intel ethernet adapters (X550, XL710) I’m used to Intel regularly releasing firmware updates via their “Ethernet Adapter Complete Driver Pack” (that helped me quite a lot), if I check the latest package (27.4), there’s nothing in there for the I350.
Is it factual that there haven’t been any firmware fixes for the I350 in its entire lifespan?
There seem to be an increment in option ROM version number, but I can’t say with certainty that the boot agent and UEFI drivers are updated for the I350, since the same combo image is used to flash all Intel NICs.
Edit:
v27.4 driver package iv.txt file under the APPS > BootUtil directory:
I was able to update the i350 firmware from one of the dell update packages. However, my machine had CSM turned on because of an old video card (so secure boot was off on first boot). Do I have anything to worry about? I got the card from TechMikeNY, which seems to be a pretty reputable seller. Barring some option ROM malware installed at whatever data center this used to be at, I think I’m OK(?) Planning to replace my gpu with one that supports uefi anyway.