I’m building an ESXI host to use as a homelab. I’d like to purchase an Intel I350 NIC, but I am a little paranoid about firmware security and secure boot. Does this NIC support secure boot? If so, will I need to add a new public key in the bios?
Build:
Ryzen 5700X
Gigabyte Aorus Elite X570
Secure Boot is a UEFI feature that validates the bootloader, OS, and drivers each time the system boots. That validation takes place between the UEFI firmware and a TPM module (or the 5700X’s fTPM in your case) to verify the digital signatures of software, but does not extend to checking the firmware on devices such as NICs, HBAs, or IPMI cards. The software drivers for the NIC will however be digitally signed and validated on boot when Secure Boot is enabled.
ESXi can use the Microsoft DB key preinstalled by Gigabyte rather than manually importing VMWare’s. And it’s actually the easier option as you won’t have to reimport keys after each BIOS update.
The last time I tried to install ESXi on consumer hardware it did not have device drivers for a lot of hardware on B450. Maybe you’ll have better luck than I did.
I have an I350-T2 in my PC, no issue with secure boot for both Windows 10 and ESXi. You might have to flash the firmware on the I350 to the latest version, but it’s not too difficult.
A word of caution though, ESXi doesn’t have driver support for Realtek NICs if your board has it.
PC Specs:
5900X and MSI X570 Tomahawk Wifi
Are we certain this is true for this particular board? UEFI Secure Boot as a specification does not require a TPM from what I know, though it could certainly be used on a particular boards Secure Boot implementation.
I’m running a Gigabyte Aorus Pro X570 w/ a 3700x and it can vouch it supports fTPM. So I was assuming the Elite model would also but could be wrong.
I’m using the term “firmware” loosely. As far as I know, the only thing that is updateable on the I350 is the option ROM, which is validated as part of the secure boot process. Do you know of any other code that could be easily written to the NIC that wouldn’t be checked by secure boot?
Thanks for the warning. I actually had to return a mobo because of this plus Iommu issues. This board has an integrated i210 NIC, woo!
Hey, fTPM is a feature of all the modern new CPUs and intel has their own version of it
It should not be vendor locked, and I think it should be availlable modern CPU’s
Unless the OEM has decided to lock it out, but I am not aware of instances where this has happened
I am not doubting that the TPM is accessible by the OS, I am saying that its presence or being enabled does not necessarily mean that the UEFI firmware is making use of it for its Secure Boot implementation.
Option ROM contains code to be run by the CPU; there could be firmware for the card itself, meant to run on the NIC/GPU’s own processing cores.
For example, open source devotees wanting to avoid as much proprietary code as possible have (with some encouragement) reverse-engineered, then clean-room re-implemented the code that operates the cores within the BCM5719 Broadcom NIC that the Talos II and Blackbird POWER9 motherboards use. Reading the documentation created from reverse-engineering, you can see that this NIC has five separate cores on the card itself that need their own firmware:
The BCM5719 contains four MIPS RX CPUs, one for each PCI function (port); it also contains a single “APE” core, which is a little-endian ARM CPU.
I, sadly, do not know if the Intel i350 has these kinds of separate cores with their own firmware; however, if the card’s cores have their own firmware, I am fairly confident that such firmware is not validated by TPM and/or UEFI.
Got an I350-T4 and a spare X570 motherboard for experimentation, can check if anything is up with Secure Boot.
Question about firmware updates for the I350-T4: With other Intel ethernet adapters (X550, XL710) I’m used to Intel regularly releasing firmware updates via their “Ethernet Adapter Complete Driver Pack” (that helped me quite a lot), if I check the latest package (27.4), there’s nothing in there for the I350.
Is it factual that there haven’t been any firmware fixes for the I350 in its entire lifespan?
From the v25.0 driver package release notes:
- PREBOOT/OROM 1.2522.0 update for I340, I350, X520, and X540 adapters.
And from the v26.8 driver package iv.txt file under the APPS > BootUtil directory:
Image versions in BootIMG.FLB
Combo Image Version Name 1.3106.0 Combo Rules v4.91.00 Clp-Loader Option ROM v3.1.30 40G Interface Module v1.0.88 iSCSI Option ROM v3.1.80 iSCSI Setup Option ROM v3.1.80 Intel(R) Boot Agent GE v1.5.89 Intel(R) Boot Agent XE v2.4.45 Intel(R) Boot Agent XE (X550) v2.4.45 Intel(R) Boot Agent I40E v1.1.31 Intel(R) Boot Agent CL v0.1.16 Intel(R) Boot Agent ICE v2.5.01 UEFI x64 PCI-E gigabit driver v9.7.06 UEFI x64 10 gigabit driver v8.1.00 UEFI x64 40 gigabit driver v4.8.08 UEFI x64 100 gigabit driver v3.1.24
There seem to be an increment in option ROM version number, but I can’t say with certainty that the boot agent and UEFI drivers are updated for the I350, since the same combo image is used to flash all Intel NICs.
Edit:
v27.4 driver package iv.txt file under the APPS > BootUtil directory:
Image versions in BootIMG.FLB
Combo Image Version Name 1.3220.0 Combo Rules v4.97.00 Clp-Loader Option ROM v3.1.30 40G Interface Module v1.0.92 iSCSI Option ROM v3.1.80 iSCSI Setup Option ROM v3.1.80 Intel(R) Boot Agent GE v1.5.89 Intel(R) Boot Agent XE v2.4.45 Intel(R) Boot Agent XE (X550) v2.4.45 Intel(R) Boot Agent I40E v1.1.42 Intel(R) Boot Agent CL v0.1.16 Intel(R) Boot Agent ICE v2.6.00 UEFI x64 PCI-E gigabit driver v9.8.06 UEFI x64 10 gigabit driver v8.1.02 UEFI x64 40 gigabit driver v4.9.13 UEFI x64 100 gigabit driver v4.0.12
Can confirm the UEFI PCIe gigabit drivers are updated.
I was able to update the i350 firmware from one of the dell update packages. However, my machine had CSM turned on because of an old video card (so secure boot was off on first boot). Do I have anything to worry about? I got the card from TechMikeNY, which seems to be a pretty reputable seller. Barring some option ROM malware installed at whatever data center this used to be at, I think I’m OK(?) Planning to replace my gpu with one that supports uefi anyway.