vSphere 7 ESXi Secure Boot Options

ESXi provides the option of using UEFI Secure Boot. UEFI Secure Boot is a mechanism that makes sure that only trusted code is loaded by the EFI firmware. Then only the ESXi OS is loaded and you get finally to the UI where you can log in.

When Secure Boot is enabled, the UEFI firmware process the validation of the kernel which is digitally signed. It is verified and compared with a digital certificate which is stored in the UEFI firmware.

VMware has started to support Secure boot with ESXi 6.5, but the hardware must support it first and this feature must be enabled. ESXi version 6.5 and later supports UEFI Secure Boot at each level of the boot stack where even the vSphere Installation Bundles (VIBs) are digitally signed.

During the boot time, the ESXi file system tries to map to the content of those packages. It's basically the kernel that validates each VIB by using the Secure Boot verifier against the firmware-based certificate. The system is making sure that all VIBs are matching.

When Secure Boot is enabled, ESXi does not allow the installation of unsigned VIBs on ESXi. If you want to install unsigned VIBs such as community drivers, you must disable Secure Boot. If you enable Secure Boot, the Secure Boot verifier runs.

If the secure boot verifier detects some unsigned VIBs, it basically generates a PSOD. If you still want to boot the ESXi (for testing), you need to boot the ESXi host with Secure Boot disabled, remove the VIB, and reboot with Secure Boot enabled.

NEW:

Download FREE Study VCP7-DCV Guide at Nakivo.

The exam duration is 130 minutes
The number of questions is 70
The passing Score is 300
Price = $250.00

Using TPM chips

ESXi can use Trusted Platform Module (TPM) chips, which are secure cryptoprocessors that enhance host security by providing a trust assurance rooted in hardware as opposed to software. You can buy them separately from your hardware.

TPM is an industry-standard for secure cryptoprocessors. TPM chips can also be installed in laptops, desktops, and servers. vSphere 7.0 supports TPM version 2.0.

A TPM 2.0 chip basically guarantees the ESXi host’s identity.

UEFI Secure Boot makes basically sure that only signed software is loaded at boot time. So it is a requirement for successful attestation.

TPM v2.0

The hardware chip will be used by ESXi host. Within the hardware, there is the UEFI firmware which validates the bootloader and the VM kernel. In the Kernel, a number of measurements are taken, which are stored in the TPM device.

The boot continues and that information is passed to vCenter. It's vCenter which queries the ESXi host and queries the TPM device and compares the hashes which have been reported by ESXi against the hashes reported by TPM.

Find other chapters on the main page of the guide – VCP7-DCV Study Guide – VCP-DCV 2021 Certification.

VMware Direct download/buy links:

VMware Education (On Demand Courses)

VMware vSphere: Install, Configure, Manage [v7] – On Demand
VMware vSphere: Optimize and Scale [v7] – On Demand
VMware vSphere: Install, Configure, Manage [V6.7] – On Demand
VMware NSX-T Data Center: Troubleshooting and Operations [V2.4] – On Demand
VMware vSphere: What's New [V6.7 to V7] – On Demand
VMware vSphere: Optimize and Scale [V6.7] – On Demand
VMware VCP Exam Vouchers – VCP exam vouchers may be used as payment for different VMware certification exams:

***********************************

VCA | VCP | VCAP or VCIX exam vouchers

***********************************

VMware Learning Credits – Learning Credits provide the dual benefit of funding a well-trained IT staff, along with discounts options of up to 15 percent. Customers can schedule training when and how they need it. Customers can buy credits at the time of license purchase or as a stand-alone purchase

Stay tuned through RSS, and social media channels (Twitter, FB, YouTube)

Vote !