The acceptance level of a VIB depends on the amount of certification of that VIB. The acceptance level of the host depends on the level of the lowest VIB. If you want to allow lower-level VIBs, you can change the acceptance level of the host. You can remove CommunitySupported VIBs to be able to change the host acceptance level.
VIBs are software packages that include a signature from VMware or a VMware partner. To protect the integrity of the ESXi host, do not allow users to install unsigned (community-supported) VIBs. An unsigned VIB contains code that is not certified by, accepted by, or supported by VMware or its partners. Community-supported VIBs do not have a digital signature.
The host's acceptance level must be the same or less restrictive than the acceptance level of any VIB you want to add to the host. For example, if the host acceptance level is VMwareAccepted, you cannot install VIBs at the PartnerSupported level. You can use ESXCLI commands to set an acceptance level for a host. To protect the security and integrity of your ESXi hosts, do not allow unsigned (CommunitySupported) VIBs to be installed on hosts in production systems.
The acceptance level for an ESXi host is displayed in the Security Profile in the vSphere Client.
- VMwareCertified
- The VMwareCertified acceptance level has the most stringent requirements. VIBs with this level go through thorough testing fully equivalent to VMware in-house Quality Assurance testing for the same technology. Today, only I/O Vendor Program (IOVP) program drivers are published at this level. VMware takes support calls for VIBs with this acceptance level.
- VMwareAccepted
- VIBs with this acceptance level go through verification testing, but the tests do not fully test every function of the software. The partner runs the tests and VMware verifies the result. Today, CIM providers and PSA plug-ins are among the VIBs published at this level. VMware directs customers with support calls for VIBs with this acceptance level to contact the partner's support organization.
- PartnerSupported
- VIBs with the PartnerSupported acceptance level are published by a partner that VMware trusts. The partner performs all testing. VMware does not verify the results. This level is used for a new or nonmainstream technology that partners want to enable for VMware systems. Today, driver VIB technologies such as Infiniband, ATAoE, and SSD are at this level with nonstandard hardware drivers. VMware directs customers with support calls for VIBs with this acceptance level to contact the partner's support organization.
- CommunitySupported
- The CommunitySupported acceptance level is for VIBs created by individuals or companies outside of VMware partner programs. VIBs at this level have not gone through any VMware-approved testing program and are not supported by VMware Technical Support or by a VMware partner.
Procedure
Results
ESXi conducts integrity checks of VIBs governed by the Acceptance Level. You can use the VMkernel.Boot.execInstalledOnly
setting to instruct ESXi to only execute binaries that originate from a valid VIB installed on the host. Combined with Secure Boot, this setting ensures that every single process ever run on an ESXi host is signed, allowed, and expected. By default, the VMkernel.Boot.execInstalledOnly
setting is disabled for partner compatibility in vSphere 7. Enabling this setting when possible improves security. For more information on configuring advanced options for ESXi, see the VMware knowledge base article at https://kb.vmware.com/kb/1038578.