Enable or Disable the execInstalledOnly Enforcement for a Secure ESXi Configuration

You can choose to enable execInstalledOnly enforcement, or disable a previously enabled execInstalledOnly enforcement. You must use ESXCLI to change the setting in the TPM on the ESXi host. UEFI secure boot enforcement must be enabled before you can enable the execInstalledOnly enforcement.

This task applies only to ESXi hosts that have a TPM. The execInstalledOnly advanced ESXi boot option, when set to TRUE, guarantees that the VMkernel executes only those binaries that have been packaged and signed as part of a VIB. The enablement of this boot option can be enforced upon every boot by using the TPM.

Prerequisites

To enable the execInstalledOnly enforcement, you must first enable the UEFI secure boot enforcement. The execInstalledOnly enforcement is built on top of the UEFI secure boot enforcement. See Enable or Disable the Secure Boot Enforcement for a Secure ESXi Configuration.
Have access to the ESXCLI command set. You can run ESXCLI commands remotely, or run them in the ESXi Shell.
Required privilege for using ESXCLI standalone version or through PowerCLI: Host.Config.Settings

Procedure

List the current settings on the ESXi host.
```
esxcli system settings encryption get
   Mode: TPM
   Require Executables Only From Installed VIBs: false
   Require Secure Boot: true
```
If execInstalledOnly enforcement is enabled, Require Executables Only From Installed VIBs displays true. If execInstalledOnly enforcement is disabled, Require Executables Only From Installed VIBs displays false. To enable the execInstalledOnly enforcement, the secure boot enforcement must be enabled, and Require Secure Boot displays true in this case.
If Mode appears as NONE, you must enable the TPM in the host's firmware and set the mode by running the following command:
```
esxcli system settings encryption set --mode=TPM
```
Also, if Require Secure Boot displays as False, see Enable or Disable the Secure Boot Enforcement for a Secure ESXi Configuration to enable the enforcement.

Enable or disable the execInstalledOnly enforcement.

Option	Description
Enable	Verify that the secure boot option is enforced. esxcli system settings encryption get Mode: TPM Require Executables Only From Installed VIBs: false Require Secure Boot: true Confirm that Require Secure Boot displays true. If not, see Enable or Disable the Secure Boot Enforcement for a Secure ESXi Configuration. To configure the runtime value of the execInstalledOnly boot option to TRUE, run the following ESXCLI command. esxcli system settings kernel set -s execInstalledOnly -v TRUE Shut down the host gracefully. For example, right-click the ESXi host in the vSphere Client and select Power > Shut Down. Restart the host. To set the execInstalledOnly enforcement, run the following ESXCLI command. esxcli system settings encryption set --require-exec-installed-only=T Verify the change. esxcli system settings encryption get Mode: TPM Require Executables Only From Installed VIBs: true Require Secure Boot: true Confirm that Require Executables Only From Installed VIBs displays true. To save the setting, run the following command. /bin/backup.sh 0
Disable	Run the following ESXCLI command. esxcli system settings encryption set --require-exec-installed-only=F Verify the change. esxcli system settings encryption get Mode: TPM Require Executables Only From Installed VIBs: false Require Secure Boot: true Confirm that Require Executables Only From Installed VIBs displays false. To save the setting, run the following command. /bin/backup.sh 0 The TPM no longer enforces the execInstalledOnly boot option.

Option

Description

Enable

Verify that the secure boot option is enforced.
```
esxcli system settings encryption get
   Mode: TPM
   Require Executables Only From Installed VIBs: false
   Require Secure Boot: true
```
Confirm that Require Secure Boot displays true. If not, see Enable or Disable the Secure Boot Enforcement for a Secure ESXi Configuration.
To configure the runtime value of the execInstalledOnly boot option to TRUE, run the following ESXCLI command.
```
esxcli system settings kernel set -s execInstalledOnly -v TRUE
```
Shut down the host gracefully.
For example, right-click the ESXi host in the vSphere Client and select Power > Shut Down.
Restart the host.
To set the execInstalledOnly enforcement, run the following ESXCLI command.
```
esxcli system settings encryption set --require-exec-installed-only=T 
```

Verify the change.

esxcli system settings encryption get
   Mode: TPM
   Require Executables Only From Installed VIBs: true
   Require Secure Boot: true

Confirm that Require Executables Only From Installed VIBs displays true.

To save the setting, run the following command.
```
/bin/backup.sh 0
```

Disable

Run the following ESXCLI command.

esxcli system settings encryption set --require-exec-installed-only=F

Verify the change.

esxcli system settings encryption get
   Mode: TPM
   Require Executables Only From Installed VIBs: false
   Require Secure Boot: true

Confirm that Require Executables Only From Installed VIBs displays false.

To save the setting, run the following command.
```
/bin/backup.sh 0
```
The TPM no longer enforces the execInstalledOnly boot option.

Results

The ESXi host runs with execInstalledOnly enforcement enabled or disabled, depending on your choice.