Secure boot is part of the UEFI firmware standard. With secure boot in use, a machine refuses to load any UEFI driver or app unless the operating system bootloader is cryptographically signed. In vSphere 6.5 and later, ESXi supports secure boot if it is enabled in the hardware.

How ESXi Uses UEFI Secure Boot

ESXi version 6.5 and later supports UEFI Secure Boot at each level of the boot stack.

Note: Before you use UEFI Secure Boot on a host that was upgraded, check for compatibility by following the instructions in Run the Secure Boot Validation Script After ESXi Upgrade.
Figure 1. UEFI Secure Boot
The UEFI secure boot stack includes multiple elements, explained in the text.

With secure boot in use, the boot sequence proceeds as follows.

  1. In vSphere 6.5 and later, the ESXi bootloader contains a VMware public key. The bootloader uses this key to verify the signature of the kernel and a small subset of the system that includes a secure boot VIB verifier.
  2. The VIB verifier verifies every VIB package that is installed on the system.

At this point, the entire system boots with the root of trust in certificates that are part of the UEFI firmware.

Note: When you install or upgrade to vSphere 7.0 Update 2 or later, and an ESXi host has a TPM, the TPM seals the sensitive information by using a TPM policy based on PCR values for UEFI Secure Boot. This value is loaded during subsequent reboots if the policy is satisfied as true. To deactivate or activate UEFI Secure Boot in vSphere 7.0 Update 2 and later, see Activate or Deactivate the Secure Boot Enforcement for a Secure ESXi Configuration.

Troubleshooting UEFI Secure Boot

If secure boot does not succeed at any level of the boot sequence, an error results.

The error message depends on the hardware vendor and on the level at which verification did not succeed.
  • If you attempt to boot with a bootloader that is unsigned or has been tampered with, an error during the boot sequence results. The exact message depends on the hardware vendor. It might look like the following error, but might look different. 
    UEFI0073: Unable to boot PXE Device...because of the Secure Boot policy
  • If the kernel has been tampered with, an error like the following results. 
    Fatal error: 39 (Secure Boot Failed)
  • If a package (VIB or driver) has been tampered with, a purple screen with the following message appears. 
    UEFI Secure Boot failed:
Failed to verify signatures of the following vibs (XX)

To resolve issues with secure boot, follow these steps.

  1. Reboot the host with secure boot deactivated.
  2. Run the secure boot verification script (see Run the Secure Boot Validation Script After ESXi Upgrade).
  3. Examine the information in the /var/log/esxupdate.log file.

Run the Secure Boot Validation Script After ESXi Upgrade

After you upgrade an ESXi host from a version that does not support UEFI secure boot, you must check if you can activate secure boot.

For secure boot to succeed, the signature of every installed VIB must be available on the system. Older versions of ESXi do not save the signatures when installing VIBs.
  • If you upgrade using ESXCLI commands, the old version of ESXi performs the installation of the new VIBs, so their signatures are not saved and secure boot is not possible.
  • If you upgrade using the ISO, new VIBs do have their signatures saved. This is true also for vSphere Lifecycle Manager upgrades that use the ISO.
  • If old VIBs remain on the system, the signatures of those VIBs are not available and secure boot is not possible.
    • If the system uses a third-party driver, and the VMware upgrade does not include a new version of the driver VIB, then the old VIB remains on the system after upgrade.
    • In rare cases, VMware might drop ongoing development of a specific VIB without providing a new VIB that replaces or obsoletes it, so the old VIB remains on the system after upgrade.
Note: UEFI secure boot also requires an up-to-date bootloader. This script does not check for an up-to-date bootloader.

Prerequisites

After you upgrade an ESXi host from an older version of ESXi that did not support UEFI secure boot, you might be able to activate secure boot. Whether you can activate secure boot depends on how you performed the upgrade and whether the upgrade replaced all the existing VIBs or left some VIBs unchanged. You can run a validation script after you perform the upgrade to determine whether the upgraded installation supports secure boot.
  • Verify that the hardware supports UEFI secure boot.
  • Verify that all VIBs are signed with an acceptance level of at least PartnerSupported. If you include VIBs at the CommunitySupported level, you cannot use secure boot.

Procedure

  1. Upgrade the ESXi and run the following command. 
    /usr/lib/vmware/secureboot/bin/secureBoot.py -c
  2. Check the output.
    The output either includes Secure boot can be enabled or Secure boot CANNOT be enabled.