UEFI Secure Boot is a security standard that helps ensure that your PC boots using only software that is trusted by the PC manufacturer. For certain virtual machine hardware versions and operating systems, you can enable secure boot just as you can for a physical machine.

In an operating system that supports UEFI secure boot, each piece of boot software is signed, including the bootloader, the operating system kernel, and operating system drivers. The virtual machine's default configuration includes several code signing certificates.
  • A Microsoft certificate that is used only for booting Windows.
  • A Microsoft certificate that is used for third-party code that is signed by Microsoft, such as Linux bootloaders.
  • A VMware certificate that is used only for booting ESXi inside a virtual machine.

The virtual machine's default configuration includes one certificate for authenticating requests to modify the secure boot configuration, including the secure boot revocation list, from inside the virtual machine, which is a Microsoft KEK (Key Exchange Key) certificate.

In almost all cases, it is not necessary to replace the existing certificates. If you do want to replace the certificates, see the VMware Knowledge Base system.

VMware Tools version 10.1 or later is required for virtual machines that use UEFI secure boot. You can upgrade those virtual machines to a later version of VMware Tools when it becomes available.

For Linux virtual machines, VMware Host-Guest Filesystem is not supported in secure boot mode. Remove VMware Host-Guest Filesystem from VMware Tools before you enable secure boot.

Note: If you turn on secure boot for a virtual machine, you can load only signed drivers into that virtual machine.

Prerequisites

You can enable secure boot only if all prerequisites are met. If prerequisites are not met, the check box is not visible in the vSphere Web Client.
  • Verify that the virtual machine operating system and firmware support UEFI boot.
    • EFI firmware
    • Virtual hardware version 13 or later.
    • Operating system that supports UEFI secure boot.
    Note: You cannot upgrade a virtual machine that uses BIOS boot to a virtual machine that uses UEFI boot. If you upgrade a virtual machine that already uses UEFI boot to an operating system that supports UEFI secure boot, you can enable secure boot for that virtual machine.
  • Turn off the virtual machine. If the virtual machine is running, the check box is dimmed.

You need VirtualMachine.Config.Settings privileges to enable or disable UEFI secure boot for the virtual machine.

Procedure

  1. Log in to the vSphere Web Client and select the virtual machine.
  2. In the Edit Settings dialog, open Boot Options, and ensure that firmware is set to EFI.
  3. Click the Enable secure boot check box and click OK.
  4. If you later want to disable secure boot, you can click the check box again.

Results

When the virtual machine boots, only components with valid signatures are allowed. The boot process stops with an error if it encounters a component with a missing or invalid signature.