In vSphere 7.0 Update 2 and later, an ESXi host uses the TPM to seal the host's configuration against a Platform Configuration Register (PCR) policy. The PCR policy can be configured to enforce UEFI Secure Boot and other settings.
A TPM can use Platform Configuration Register (PCR) measurements to implement policies that restrict unauthorized access to sensitive data. When you install or upgrade an ESXi host with a TPM to vSphere 7.0 Update 2 and later, the TPM seals the sensitive information by using a policy that incorporates the secure boot setting. This policy checks that if secure boot was enabled when data was first sealed with the TPM, then secure boot must still be enabled when attempting to unseal the data on a subsequent boot.
Secure boot is part of the UEFI firmware standard. With UEFI Secure Boot enabled, a host refuses to load any UEFI driver or app unless the operating system bootloader has a valid digital signature.
You can choose to disable or enable UEFI Secure Boot enforcement. See Enable or Disable the Secure Boot Enforcement for a Secure ESXi Configuration.
esxcli system settings encryption set --mode=TPMOnce you have activated the TPM, you cannot undo the setting.
esxcli system settings encryption set
command fails on some TPMs even when the TPM is enabled for the host.
- In vSphere 7.0 Update 2: TPMs from NationZ (NTZ), Infineon Technologies (IFX), and certain new models (like NPCT75x) from Nuvoton Technologies Corporation (NTC)
- In vSphere 7.0 Update 3: TPMs from NationZ (NTZ)
If an installation or upgrade of vSphere 7.0 Update 2 or later is unable to use the TPM during the first boot, the installation or upgrade continues, and the mode defaults to NONE (that is, --mode=NONE
). The resulting behavior is as though the TPM is not activated.
The TPM can also enforce the setting for the execInstalledOnly boot option in the sealing policy. The execInstalledOnly enforcement is an advanced ESXi boot option that guarantees that the VMkernel executes only binaries that have been properly packaged and signed as part of a VIB. The execInstalledOnly boot option has a dependency on the secure boot option. The secure boot enforcement must be enabled before you can enforce the execInstalledOnly boot option in the sealing policy. See Enable or Disable the execInstalledOnly Enforcement for a Secure ESXi Configuration.