On my research list: “ESXi” “Secure Boot” – Google Search
Posted by jpluimers on 2022/01/12
On my research list: [Wayback] “ESXi” “Secure Boot” – Google Search.
Some links about it:
- [Wayback] Using ESXi Kickstart %firstboot with Secure Boot
- [Wayback] ESXi 6.7 – Secure Boot and startup script – VMware Technology Network VMTN
- [Archive.is] Secure Boot for ESXi 6.5 – Hypervisor Assurance – VMware vSphere Blog
- [Archive.is] Prepping an ESXi 6.7 host for Secure Boot – VMware vSphere Blog
- [Wayback] virtualization – ESXi 7.X file permissions – how to buypass new security measures – Server Fault
Even in ESXi 7.0 some files can still be edited, e.g. /etc/rc.local.d/local.sh. This script will be executed by /etc/rc.local, so you can add your commands there.
You just need to be aware that this script will not be executed if you have UEFI Secure boot enabled on your host.
- [Wayback UEFI Secure Boot for ESXi Hosts
Secure boot is part of the UEFI firmware standard. With secure boot enabled, a machine refuses to load any UEFI driver or app unless the operating system bootloader is cryptographically signed. Starting with vSphere 6.5, ESXi supports secure boot if it is enabled in the hardware.
…
UEFI Secure Boot Troubleshooting
If secure boot does not succeed at any level of the boot sequence, an error results.
The error message depends on the hardware vendor and on the level at which verification did not succeed.- If you attempt to boot with a bootloader that is unsigned or has been tampered with, an error during the boot sequence results. The exact message depends on the hardware vendor. It might look like the following error, but might look different.
UEFI0073: Unable to boot PXE Device…because of the Secure Boot policy
- If the kernel has been tampered with, an error like the following results.
Fatal error: 39 (Secure Boot Failed)
- If a package (VIB or driver) has been tampered with, a purple screen with the following message appears.
UEFI Secure Boot failed: Failed to verify signatures of the following vibs (XX)
To resolve issues with secure boot, follow these steps.
- Reboot the host with secure boot disabled.
- Run the secure boot verification script (see Run the Secure Boot Validation Script on an Upgraded ESXi Host).
- Examine the information in the /var/log/esxupdate.log file.
- Run the Secure Boot Validation Script on an Upgraded ESXi Host
After you upgrade an ESXi host from an older version of ESXi that did not support UEFI secure boot, you might be able to enable secure boot. Whether you can enable secure boot depends on how you performed the upgrade and whether the upgrade replaced all the existing VIBs or left some VIBs unchanged. You can run a validation script after you perform the upgrade to determine whether the upgraded installation supports secure boot. [Read more]
- If you attempt to boot with a bootloader that is unsigned or has been tampered with, an error during the boot sequence results. The exact message depends on the hardware vendor. It might look like the following error, but might look different.
–jeroen
The Wiert Corner - irregular stream of stuff 
Leave a Reply