Starting with VMware vSphere 6.5 ESXi supports UEFI secure boot if it is enabled in the Hardware, Unified Extensible Firmware Interface (UEFI) is a specification that defines a software interface between an operating system and platform Firmware.

Secure boot is a protocol used in UEFI firmware which was designed to ensure that boot loaders are not compromised, dedicated this article to talk about how UEFI Secure boots works with VMware ESXi hosts.

Protect Your Data with BDRSuite

Cost-Effective Backup Solution for VMs, Servers, Endpoints, Cloud VMs & SaaS applications. Supports On-Premise, Remote, Hybrid and Cloud Backup, including Disaster Recovery, Ransomware Defense & more!

But before we proceed further and talk about how UEFI secure boot works behind the covers it’s important to highlight some important components which ESXi is composed of like Boot loader (Signed with Microsoft UEFI Public CA Cert), VMkernel (Cyrptographically Signed using VMware Public key), Secure Boot Verifier (Validates Cryptographically signed VIB against VMware Public Key), and vSphere Installation Bundles a.k.a (VIB’s) (Comprises of a file archive TAR g -Zipped File), an XML descriptor file and a digital signature file.

Now that we have seen what all components ESXi is compromised of let’s go ahead and talk about how the boot process works behind the cover,

  1. Our Underlying Hardware Firmware from Vendor contains Digital Certificate
  2. UEFI Firmware validates ESXi boot loader against that digital certificate
  3. ESXi boot loader already contains VMware Digital Certificate and validates VMkernel against VMware digital certificates
  4. Now VMkernel starts Secure Boot Identifier which also contains VMware Digital Certificate
  5. Last but not the least Secure Boot Identifier Validates all VIB’s against VMware Digital Certificate

Secure-Boot-Root-of-Trust

Download Banner

As we power ON ESXi host UEFI firmware validates the ESXi boot loader against the Microsoft Digital Certificate in the UEFI Firmware, ESXI Boot Loader Validates the VMkernel against the VMware Digital Certificate in the Boot Loader, VMkernel now runs the Secure Boot Identifier which further validates each VIB’s against the VMware Digital certificate in the secure boot identifier, Managements Apps (Host d, DCUi now starts).

If the Secure Boot Doesn’t succeed at any level of the boot sequence an error results which depends on the hardware vendor and at the level at which verification failed, for example if we try to attempt a boot with a boot loader that is unsigned or tempered with an error results stating Unable to Boot PXE device.. to fix these kind of issue we can go ahead and reboot our ESXi Host after disabling the secure boot and run the secure boot verification script.

Experience modern data protection with this latest Vembu BDR Suite v.3.8.0 FREE edition. Try the 30 days free trial here: https://www.bdrsuite.com/vembu-bdr-suite-download/

Follow our Twitter and Facebook feeds for new releases, updates, insightful posts and more.

Rate this post