You can choose to enable execInstalledOnly enforcement, or disable a previously enabled execInstalledOnly enforcement. You must use ESXCLI to change the setting in the TPM on the ESXi host. UEFI secure boot enforcement must be enabled before you can enable the execInstalledOnly enforcement.

This task applies only to ESXi hosts that have a TPM. The execInstalledOnly advanced ESXi boot option, when set to TRUE, guarantees that the VMkernel executes only those binaries that have been packaged and signed as part of a VIB. The enablement of this boot option can be enforced upon every boot by using the TPM.

Prerequisites

  • To enable the execInstalledOnly enforcement, you must first enable the UEFI secure boot enforcement. The execInstalledOnly enforcement is built on top of the UEFI secure boot enforcement. See Enable or Disable the Secure Boot Enforcement for a Secure ESXi Configuration.
  • Have access to the ESXCLI command set. You can run ESXCLI commands remotely, or run them in the ESXi Shell.
  • Required privilege for using ESXCLI standalone version or through PowerCLI: Host.Config.Settings

Procedure

  1. List the current settings on the ESXi host.
    esxcli system settings encryption get
       Mode: TPM
       Require Executables Only From Installed VIBs: false
       Require Secure Boot: true
    If execInstalledOnly enforcement is enabled, Require Executables Only From Installed VIBs displays true. If execInstalledOnly enforcement is disabled, Require Executables Only From Installed VIBs displays false. To enable the execInstalledOnly enforcement, the secure boot enforcement must be enabled, and Require Secure Boot displays true in this case.
    If Mode appears as NONE, you must enable the TPM in the host's firmware and set the mode by running the following command:
    esxcli system settings encryption set --mode=TPM
    Also, if Require Secure Boot displays as False, see Enable or Disable the Secure Boot Enforcement for a Secure ESXi Configuration to enable the enforcement.
  2. Enable or disable the execInstalledOnly enforcement.
    Option Description
    Enable
    1. Verify that the secure boot option is enforced.
      esxcli system settings encryption get
         Mode: TPM
         Require Executables Only From Installed VIBs: false
         Require Secure Boot: true

      Confirm that Require Secure Boot displays true. If not, see Enable or Disable the Secure Boot Enforcement for a Secure ESXi Configuration.

    2. To configure the runtime value of the execInstalledOnly boot option to TRUE, run the following ESXCLI command.
      esxcli system settings kernel set -s execInstalledOnly -v TRUE
    3. Shut down the host gracefully.

      For example, right-click the ESXi host in the vSphere Client and select Power > Shut Down.

    4. Restart the host.
    5. To set the execInstalledOnly enforcement, run the following ESXCLI command.
      esxcli system settings encryption set --require-exec-installed-only=T 
    6. Verify the change.
      esxcli system settings encryption get
         Mode: TPM
         Require Executables Only From Installed VIBs: true
         Require Secure Boot: true

      Confirm that Require Executables Only From Installed VIBs displays true.

    7. To save the setting, run the following command.
      /bin/backup.sh 0
    Disable
    1. Run the following ESXCLI command.
      esxcli system settings encryption set --require-exec-installed-only=F
    2. Verify the change.
      esxcli system settings encryption get
         Mode: TPM
         Require Executables Only From Installed VIBs: false
         Require Secure Boot: true

      Confirm that Require Executables Only From Installed VIBs displays false.

    3. To save the setting, run the following command.
      /bin/backup.sh 0

      The TPM no longer enforces the execInstalledOnly boot option.

Results

The ESXi host runs with execInstalledOnly enforcement enabled or disabled, depending on your choice.