Secure boot is part of the UEFI firmware standard. With secure boot enabled, a machine refuses to load any UEFI driver or app unless the operating system bootloader is cryptographically signed. Starting with vSphere 6.5, ESXi supports secure boot if it is enabled in the hardware.

How ESXi Uses UEFI Secure Boot

ESXi version 6.5 and later supports UEFI Secure Boot at each level of the boot stack.

Note: Before you use UEFI Secure Boot on a host that was upgraded, check for compatibility by following the instructions in Run the Secure Boot Validation Script on an Upgraded ESXi Host.
Figure 1. UEFI Secure Boot
The UEFI secure boot stack includes multiple elements, explained in the text.

With secure boot enabled, the boot sequence proceeds as follows.

  1. Starting with vSphere 6.5, the ESXi bootloader contains a VMware public key. The bootloader uses this key to verify the signature of the kernel and a small subset of the system that includes a secure boot VIB verifier.
  2. The VIB verifier verifies every VIB package that is installed on the system.

At this point, the entire system boots with the root of trust in certificates that are part of the UEFI firmware.

Note: When you install or upgrade to vSphere 7.0 Update 2 or later, and an ESXi host has a TPM, the TPM seals the sensitive information by using a TPM policy based on PCR values for UEFI Secure Boot. This value is loaded during subsequent reboots if the policy is satisfied as true. To disable or enable UEFI Secure Boot in vSphere 7.0 Update 2 and later, see Enable or Disable the Secure Boot Enforcement for a Secure ESXi Configuration.

Troubleshooting UEFI Secure Boot

If secure boot does not succeed at any level of the boot sequence, an error results.

The error message depends on the hardware vendor and on the level at which verification did not succeed.
  • If you attempt to boot with a bootloader that is unsigned or has been tampered with, an error during the boot sequence results. The exact message depends on the hardware vendor. It might look like the following error, but might look different.
    UEFI0073: Unable to boot PXE Device...because of the Secure Boot policy 
  • If the kernel has been tampered with, an error like the following results.
    Fatal error: 39 (Secure Boot Failed)
  • If a package (VIB or driver) has been tampered with, a purple screen with the following message appears.
    UEFI Secure Boot failed:
    Failed to verify signatures of the following vibs (XX)

To resolve issues with secure boot, follow these steps.

  1. Reboot the host with secure boot disabled.
  2. Run the secure boot verification script (see Run the Secure Boot Validation Script on an Upgraded ESXi Host).
  3. Examine the information in the /var/log/esxupdate.log file.