Support Support Downloads Knowledge Base Case Manager My Juniper Community

Knowledge Base

Search our Knowledge Base sites to find answers to your questions.

Ask All Knowledge Base Sites All Knowledge Base Sites JunosE Defect (KA)Knowledge BaseSecurity AdvisoriesTechnical BulletinsTechnotes Sign in to display secure content and recently viewed articles

[MX/PTX] Minor 'VMHost RE x Secure Boot Disabled' alarm

0

0

Article ID: KB35975 KB Last Updated: 24 Jun 2020Version: 1.0
Summary:

Secure Boot is a significant system security enhancement based on the UEFI standard (see www.uefi.org). It works by safeguarding the BIOS itself from tampering or modification and then maintaining that protection throughout the boot process.

The Secure Boot process begins with Secure Flash, which ensures that unauthorized changes cannot be made to the firmware. Authorized releases of Junos OS carry a digital signature produced by either Juniper Networks directly or one of its authorized partners. At each point of the boot-up process, each component verifies the next link is sound by checking the signature to ensure that the binaries have not been modified.

This article explains the meaning of 'VMHost RE x Secure Boot Disabled' minor alarm on Juniper MX and PTX series devices.

Symptoms:

Active Alarm:

user@host> show chassis alarms
1 alarm currently active
Alarm time               Class  Description
2019-01-31 15:28:50 UTC  Minor  VMHost RE 1 Secure Boot Disabled

Error Log:

Jan 31 15:28:50.361 2020  craftd[12701]: %DAEMON-4: Minor alarm set, VMHost RE 0 Secure Boot Disabled
Jan 31 15:28:50.363 2020  alarmd[93777]: %DAEMON-4: Alarm set: RE color=YELLOW, class=CHASSIS, reason=VMHost RE 0 Secure Boot Disabled
Solution:

Verify the Firmware version on  affected RE x:

user@host> show system firmware

The firmware should be updated to the latest available version. If not, please upgrade firmware to the available version by following the technical documentation on Installing and Upgrading Firmware.

Restart Chassis Control:

The existing chassis-control process is stopped and a new one is started. This re-initiates detecting components by the chassis manager and possible transient hardware issues can be gotten rid of.

user@host>restart chassis-control <gracefully|soft>

From the affected RE x, collect the following logs:

user@host> start shell user root

‚ÄčEnter Linux Host:

:~#vhclient -s
:~# /usr/bin/sb-status.sh
Secure Boot is enforced.  <-- Verifies secure boot is working
        OR
:~# sb-status.sh
Secure Boot is enforced.  <-- Verifies secure boot is working

Check BIOS details:

:~# dmidecode -s bios-version
# SMBIOS implementations newer than version 2.7 are not
# fully supported by this version of dmidecode.
CBEP_P_VAL1_00.14.01

Collect VM Host Logs:

root@host:~# tar -cf ~/host_varlog_REx.tar -C /var/log/*
tar: Removing leading `/' from member names
root@host:~# ls -l | grep varlog
-rw-r--r--. 1 root root 75509760 Jun 18 02:55 host_varlog_REx.tar

Copy the file to VM Routing Engine /var/tmp.

-- PTX10K --
root@host:~# scp host_varlog_REx.tar root@192.168.3.1:/var/tmp/
Password:
host_varlog_REx.tar              100%   54MB  26.8MB/s   00:02


-- MX systems & PTX5K systems --
root@host:~# scp host_varlog_REx.tar root@192.168.3.2:/var/tmp/
Password:
host_varlog_REx.tar               100%   73MB  36.5MB/s   00:02


The above-collected VM Host logs will help to determine the root cause for the issue and for JTAC analysis.

BIOS Upgrade: (IMPORTANT - Please consult JTAC before performing this step)

user@host>request system firmware upgrade re bios
In situations where the Secure Boot is enforced and the alarm still shows, ignore the error message as it is harmless.  You can upgrade to the latest Junos release to prevent this alarm from triggering.  Please involve JTAC to understand the latest recommended release that could be best suited for your deployment.

If the error still persists, contact your JTAC Representative for a hands-on investigation.

Related Links

Comment on this article > Affected Products Browse the Knowledge Base for more articles related to these product categories. Select a category to begin.

Getting Up and Running with Junos

Getting Up and Running with Junos Security Alerts and Vulnerabilities Product Alerts and Software Release Notices Problem Report (PR) Search Tool EOL Notices and Bulletins JTAC User Guide Customer Care User Guide Pathfinder SRX High Availability Configurator SRX VPN Configurator Training Courses and Videos End User Licence Agreement Global Search