Enabling Secure Boot not possible

Stateful · ‎09-02-2021

I try to enable secure boot but I'm running into a similar issue as described here: https://www.reddit.com/r/vmware/comments/mtb870/unable_to_enable_secure_boot_on_my_motherboard/

The mainboard has a TPM, UEFI is enabled. ESXi version is 7.02

The system is booted with ipxe (UEFI mode). ESXi is installed on an iscsi disk. Booting and managing the ESXi host works in general. The ipxe file is "ipxe.efi" from VCSA.

When I run:

/usr/lib/vmware/secureboot/bin/secureBoot.py -c

I get:

Secure boot can be enabled: All vib signatures verified. All tardisks validated. All acceptance levels validated

Also running dmesg shows me some snippets that UEFI and SecureBoot was used for booting (e.g. "UEFI secure boot succeeded") and that the TPM is working ("tpm driver loaded succesfully").

But when I then try to enable it with:

esxcli system settings encryption set --require-secure-boot=T

I get:

Unable to change the encryption mode and policy. Verify that the current host configuration can satisfy the new requirement.

Any ideas what is going on? Or at least some way to get more verbose info why it failed?

roseVM · ‎12-01-2021

I am also observing this on a TPM card that is not included in this KB.

Did anyone find a fix?

LabMasterBeta · ‎05-08-2022

TPM chip must be 2.0 (1.x wont work).

TPM chip must be on VMware supported/validated list.

If ESXi was installed BEFORE the TPM module was installed, must re-install ESXi otherwise ESXi has stored its secure boot info in an encrypted started file (the fallback behavior, which only happens once during first-install).

Once you have supported TPM 2.0... Potential fix for you is here:

https://communities.vmware.com/t5/ESXi-Discussions/How-can-set-require-secure-boot-TRUE-on-esxi-host...

albertohitech2 · ‎06-30-2023

We had to enable TPM in the BIOS and under advanced changed the encryption to SHA 256 which resolved our issue with PowerEdge T350 on esxi 8.0.