Hi Sam,

Thanks for your reply. However I am not able to access that URL.

Does it need special permission?

That was posted on the beta forums; that's possibly why. Reposted the reply for you.

Custom Secure Boot configuration while deploying a new Virtual Machine

The Secure Boot configuration is stored in NVRAM.  If the NVRAM contains no Secure Boot configuration (a freshly deployed VM, or a VM for which the .nvram file has been deleted from the datastore), the Secure Boot configuration will be reset to the defaults described in the UEFI Specification (the variables named PKDefault, KEKDefault, dbDefault and dbxDefault).  You can use advanced VM config options to control those defaults, through which you can pre-populate the Secure Boot configuration before the VM is first powered on.

If you want to deploy the certificates as part of the VM's configuration, copy the DER-encoded certificate into the VM's directory and add the following advanced VM config options:

   uefi.secureBoot.dbDefault.file0 = "custom-cert.der"

where "custom-cert.der" is the name of the DER-encoded certificate file within the VM's directory.  You can repeat that for file1, file2, file3, etc., to add multiple certificates.

If you want to pre-configure SHA-256 hashes into the Secure Boot approved database (db) or revoked database (dbx), put a hexadecimal representation of the file's Authenticode hash (note: this is not the regular SHA-256 sum over the whole file) into an advanced VM config option like this:

   uefi.secureBoot.dbDefault.value0 = "01ba4719c80b6fe911b091a7c05124b64eeece964e09c058ef8f9805daca546b"

If you want to replace the default certs so that only your custom certs, also add:

   uefi.secureBoot.dbDefault.append = "FALSE"

which will remove the default certs before starting to add your custom certs.  By default, your custom certificates will be appended to the default set of custom certificates.

Modifying the Secure Boot configuration of an existing Virtual Machine

By default, the virtual machine's configuration cannot be modified from within the virtual machine.  If you use the technique described above to install your own Platform Key into the PK variable or to provision your own certificate into the Key Exchange Key database in the KEK variable, you can modify Secure Boot configuration from within the virtual machine by using the corresponding private keys, as described in the UEFI Specification.  Discussion of how to prepare and correctly authenticate a modification to the virtual machine's Secure Boot configuration is beyond the scope of this document.

If you wish to manually modify a virtual machine's Secure Boot configuration, you can enable the use of the firmware's user interface for managing Secure Boot configuration using the following advanced VM config option:

   uefi.allowAuthBypass = "TRUE"

Power on the virtual machine to its firmware user interface.  You can achieve this by pressing the "Esc" key at the virtual machine's console while the "VMware" logo is displayed -- Set bios.bootDelay = "10000" if you need more time to do that.  Or, just set bios.forceSetupOnce = "TRUE" to force the firmware's user interface to appear on the next boot.

At the firmware user interface, choose Enter setup, then a Secure Boot Configuration menu will be present to allow for manipulation of the Secure Boot configuration.

For reasons of platform integrity, the Secure Boot configuration menu will only be available if the uefi.allowAuthBypass option is set and when the virtual machine has not made any attempt to boot an operating system since it was powered on.

Hi Sam,

Really thanks for your information about how to manually deploy and configure settings for VM SecureBoot certificates.

I was also wondering to know is there any SDK API can help to automate tasks you mentioned before?

• Deploy certificates to VM's directory and configure the settings: uefi.secureBoot.dbDefault.file0
• Configure settings such as uefi.secureBoot.dbDefault.value0 / append ...etc..

Thanks!

Hi,

In vSphere 6.5, you can use the ReconfigVM_Task to automate these tasks. The 'uefi.secureBoot.*' options are all a part of the extraConfig property in VirtualMachineConfigSpec. In case you are not familiar with extraConfig, I have pulled the relevant information from the VMware vSphere 6.5 Documentation Center: VMware vSphere 6.5 Documentation Library

"extraConfig: Additional configuration information for the virtual machine. This describes a set of modifications to the additional options. If the key is already present, it will be reset with the new value provided. Otherwise, a new option is added. Keys with empty values will be removed.

Configuration keys that would conflict with parameters that are explicitly configurable through other fields in the ConfigSpec object are silently ignored.

Reconfigure privilege: VirtualMachine.Config.AdvancedConfig (also required when setting this property while creating a virtual machine)"

Does this answer your question?

Sam

Hi Sam,

Yes, your answer does help. Thank you!

Sorry that I still have another question for, is there any SDK API can help to upload certificate to VM folder?

Regards,

Kuanhung

Hi Kuanhung,

I was looking at the FileManager object in VMware vSphere 6.5 Documentation Library‌, and it seems to be that something like CopyDatastoreFile_Task should do the job here. I think that once you adjust the permission levels on the VM folder, you can use this to upload any certificate files you may need to the VM folder.

Sam

Hi，does this work only in version 6.5, I tried it in version 7.0 and it didn't work.

Is it possible to install a VMware PK into a UEFI BIOS so a consumer-grade motherboard (in-home lab environment) can function with secure boot capability?

Any word on this?  It does not appear to work in 7.0.  Is there a new method, or was this functionality removed?

Hi @ssamyuktha ,

This info is really helpful.  But it doesn't seem to work in 7.0.  Is there a new method to set custom secure boot keys?  I have not been able to find any working method.

Thanks

Dave

I am curious if I can still do this now on ESXi 8.0 U2?    Is this still possible.