Secure boot is part of the UEFI firmware standard. With secure boot enabled, a machine refuses to load any UEFI driver or app unless the operating system bootloader is cryptographically signed. Starting with vSphere 6.5, ESXi supports secure boot if it is enabled in the hardware.
How ESXi Uses UEFI Secure Boot
ESXi version 6.5 and later supports UEFI Secure Boot at each level of the boot stack.
With secure boot enabled, the boot sequence proceeds as follows.
- Starting with vSphere 6.5, the ESXi bootloader contains a VMware public key. The bootloader uses this key to verify the signature of the kernel and a small subset of the system that includes a secure boot VIB verifier.
- The VIB verifier verifies every VIB package that is installed on the system.
At this point, the entire system boots with the root of trust in certificates that are part of the UEFI firmware.
Troubleshooting UEFI Secure Boot
If secure boot does not succeed at any level of the boot sequence, an error results.
- If you attempt to boot with a bootloader that is unsigned or has been tampered with, an error during the boot sequence results. The exact message depends on the hardware vendor. It might look like the following error, but might look different.
UEFI0073: Unable to boot PXE Device...because of the Secure Boot policy
- If the kernel has been tampered with, an error like the following results.
Fatal error: 39 (Secure Boot Failed)
- If a package (VIB or driver) has been tampered with, a purple screen with the following message appears.
UEFI Secure Boot failed: Failed to verify signatures of the following vibs (XX)
To resolve issues with secure boot, follow these steps.
- Reboot the host with secure boot disabled.
- Run the secure boot verification script (see Run the Secure Boot Validation Script on an Upgraded ESXi Host).
- Examine the information in the /var/log/esxupdate.log file.