What is Secure Boot
Secure Boot is a security feature to prevent malicious software from loading when your system boots. With Secure Boot in use, a machine refuses to load any UEFI (Unified Extensible Firmware Interface) driver or application unless the operating system bootloader is cryptographically signed. In vSphere 6.5 and later, ESXi supports secure boot if it is enabled in the hardware. Secure boot is part of the UEFI firmware standard.
What is UEFI Secure Boot for ESXi
Secure boot for ESXi uses UEFI firmware to validate the digital signature of the ESXi kernel against a digital certificate in the UEFI firmware. This ensures only a properly signed kernel boots. ESXi is made up of digitally signed packages, called vSphere Installation Bundles
A requirement is to enable SecureBoot in the system’s BIOS level. If you’re not sure, find your vendor (e.g. HPE Proliant or DELL PowerEdge) documentation to do this. However, you need to enable this on ESXi as well. In this blog post I will show you what Secure Boot is, why you would need it, and how to enable this on your system.
Details with VMware Docs, and some more detail below
How to enable Secure Boot on ESXi
- Hardware
- Pre-requirement: on BIOS level; check your vendor for BIOS configuration details
- ESXi host OS
- Turn on maintenance mode
- Check current configuration on ESXi host (SSH with root);
- VMware documentation: link
- Commands to use:
- esxcli system settings encryption get
- esxcli system settings encryption set –require-secure-boot=T
- esxcli system shutdown reboot -r “Restarting now to enable Secure Boot”
How this looks like in the CLI
Confirm Secure boot is not enabled from the ESXi host itself
[root@esxi-1:~] esxcli system settings encryption get
Mode: TPM
Require Executables Only From Installed VIBs: false
Require Secure Boot: false
esxcli system settings encryption set –require-secure-boot=T
[root@esxi-1:~] esxcli system settings encryption get
Mode: TPM
Require Executables Only From Installed VIBs: false
Require Secure Boot: true
Perform a restart by typing
[root@esxi-1:~] esxcli system shutdown reboot -r “Restarting now to enable Secure Boot
Good luck securing your ESXi hosts!