Secure boot is part of the UEFI firmware standard. With secure boot enabled, a machine refuses to load any UEFI driver or app unless the operating system bootloader is cryptographically signed. Starting with vSphere 6.5, ESXi supports secure boot if it is enabled in the hardware.

UEFI Secure Boot Overview

ESXi version 6.5 and later supports UEFI secure boot at each level of the boot stack for .

Note:

Before you use UEFI Secure Boot on a host that was upgraded to ESXi 6.5, check for compatibility by following the instructions in Run the Secure Boot Validation Script on an Upgraded ESXi Host. if you upgrade an ESXi host by using esxcli commands, the upgrade does not update the bootloader. In that case, you cannot perform a secure boot on that system.

Figure 1. UEFI Secure Boot
The UEFI secure boot stack includes multiple elements, explained in the text.

With secure boot enabled, the boot sequence proceeds as follows.

  1. Starting with vSphere 6.5, the ESXi bootloader contains a VMware public key. The bootloader uses this key to verify the signature of the kernel and a small subset of the system that includes a secure boot VIB verifier.

  2. The VIB verifier verifies every VIB package that is installed on the system.

At this point, the entire system is booted up, with the root of trust in certificates that are part of the UEFI firmware.

UEFI Secure Boot Troubleshooting

If secure boot does not succeed at any level of the boot sequence, an error results.

The error message depends on the hardware vendor and on the level at which verification did not succeed.

  • If you attempt to boot with a boot loader that is unsigned or has been tampered with, an error during the boot sequence results. The exact message depends on the hardware vendor. It might look like the following error, but might look different.

    UEFI0073: Unable to boot PXE Device...because of the Secure Boot policy 
  • If the kernel has been tampered with, an error like the following results.

    Fatal error: 39 (Secure Boot Failed)
  • If a package (VIB or driver) has been tampered with, a purple screen with the following message appears.

    UEFI Secure Boot failed:
    Failed to verify signatures of the following vibs (XX)

To resolve issues with secure boot, follow these steps.

  1. Reboot the host with secure boot disabled.

  2. Run the secure boot verification script (see Run the Secure Boot Validation Script on an Upgraded ESXi Host).

  3. Examine the information in the /var/log/esxupdate.log file.