Search the VMware Knowledge Base (KB)
View by Article ID

UEFI Secure Boot with vSphere Auto Deploy (2148532)

  • 0 Ratings
Language Editions

Details

Secure Boot is part of the UEFI firmware standard. With Secure Boot enabled, a machine refuses to load any UEFI driver or app unless the operating system boot loader is cryptographically signed. Starting with vSphere 6.5, ESXi supports Secure Boot if it is enabled in the hardware.

Solution

UEFI Secure Boot Overview
 
ESXi version 6.5 and later supports UEFI Secure Boot at each level of the boot stack. For more information, see the UEFI Secure Boot for ESXi Hosts section in the vSphere 6.5 Security Guide.
 
To use Secure Boot without Auto Deploy, it is sufficient to have either the UEFI-CA certificate or VMware's certificate enrolled in the UEFI firmware's whitelist (db variable), or both. Most machines have the UEFI-CA certificate preloaded in the default db by the hardware vendor.
 
Using Secure Boot with vSphere Auto Deploy
 
To use UEFI Secure Boot with vSphere Auto Deploy, you have to:
  1. Enroll the VMware certificate in the UEFI firmware white list (db variable).
    1. Download the VMware certificate attached to this KB article as 2148532_vmware_esx40_der.zip.

      Note: VMware recommends using the following SignatureOwner GUID for our key certificates: a3d5e95b-0a8f-4753-8735-445afb708f62.

    2. Enroll the VMware certificate in UEFI firmware.
      The procedure to manually enroll VMware certificates into the UEFI firmware's whitelist (db variable) depends on the machine's hardware vendor. Look for documentation from your hardware vendor on how to do the enrollment.
      For example, you can find the procedure for Dell hardware in Defining a Secure Boot Policy.
  2. Use the VMware official key snponly64.efi.vmw-hardwired.officialkey.
 Note: Ensure to follow Auto Deploy Best Practices in the vSphere Installation and Setup Guide.

Disclaimer: VMware is not responsible for the reliability of any data, opinions, advice, or statements made on third-party websites. Inclusion of such links does not imply that VMware endorses, recommends, or accepts any responsibility for the content of such sites

Attachments

Request a Product Feature

To request a new product feature or to provide feedback on a VMware product, please visit the Request a Product Feature page.

Feedback

  • 0 Ratings

Did this article help you?
This article resolved my issue.
This article did not resolve my issue.
This article helped but additional information was required to resolve my issue.

What can we do to improve this information? (4000 or fewer characters)




Please enter the Captcha code before clicking Submit.
  • 0 Ratings
Actions
KB: