We just noticed that since vSphere 6.5, Secure Boot is supported.
From online document:
The virtual machine's default configuration includes one certificate for authenticating requests to modify the secure boot configuration, including the secure boot revocation list, from inside the virtual machine, which is a Microsoft KEK (Key Exchange Key) certificate.
In almost all cases, it is not necessary to replace the existing certificates. If you do want to replace the certificates, see the VMware Knowledge Base system.
Does anyone know what is the KB for replacing existing certificates?
That was posted on the beta forums; that's possibly why. Reposted the reply for you.
Custom Secure Boot configuration while deploying a new Virtual Machine
The Secure Boot configuration is stored in NVRAM. If the NVRAM contains no Secure Boot configuration (a freshly deployed VM, or a VM for which the .nvram file has been deleted from the datastore), the Secure Boot configuration will be reset to the defaults described in the UEFI Specification (the variables named PKDefault, KEKDefault, dbDefault and dbxDefault). You can use advanced VM config options to control those defaults, through which you can pre-populate the Secure Boot configuration before the VM is first powered on.
If you want to deploy the certificates as part of the VM's configuration, copy the DER-encoded certificate into the VM's directory and add the following advanced VM config options:
uefi.secureBoot.dbDefault.file0 = "custom-cert.der"
where "custom-cert.der" is the name of the DER-encoded certificate file within the VM's directory. You can repeat that for file1, file2, file3, etc., to add multiple certificates.
If you want to pre-configure SHA-256 hashes into the Secure Boot approved database (db) or revoked database (dbx), put a hexadecimal representation of the file's Authenticode hash (note: this is not the regular SHA-256 sum over the whole file) into an advanced VM config option like this:
uefi.secureBoot.dbDefault.value0 = "01ba4719c80b6fe911b091a7c05124b64eeece964e09c058ef8f9805daca546b"
If you want to replace the default certs so that only your custom certs, also add:
uefi.secureBoot.dbDefault.append = "FALSE"
which will remove the default certs before starting to add your custom certs. By default, your custom certificates will be appended to the default set of custom certificates.
By default, the virtual machine's configuration cannot be modified from within the virtual machine. If you use the technique described above to install your own Platform Key into the PK variable or to provision your own certificate into the Key Exchange Key database in the KEK variable, you can modify Secure Boot configuration from within the virtual machine by using the corresponding private keys, as described in the UEFI Specification. Discussion of how to prepare and correctly authenticate a modification to the virtual machine's Secure Boot configuration is beyond the scope of this document.
If you wish to manually modify a virtual machine's Secure Boot configuration, you can enable the use of the firmware's user interface for managing Secure Boot configuration using the following advanced VM config option:
uefi.allowAuthBypass = "TRUE"
Power on the virtual machine to its firmware user interface. You can achieve this by pressing the "Esc" key at the virtual machine's console while the "VMware" logo is displayed -- Set bios.bootDelay = "10000" if you need more time to do that. Or, just set bios.forceSetupOnce = "TRUE" to force the firmware's user interface to appear on the next boot.
At the firmware user interface, choose Enter setup, then a Secure Boot Configuration menu will be present to allow for manipulation of the Secure Boot configuration.
For reasons of platform integrity, the Secure Boot configuration menu will only be available if the uefi.allowAuthBypass option is set and when the virtual machine has not made any attempt to boot an operating system since it was powered on.
Really thanks for your information about how to manually deploy and configure settings for VM SecureBoot certificates.
I was also wondering to know is there any SDK API can help to automate tasks you mentioned before?
In vSphere 6.5, you can use the ReconfigVM_Task to automate these tasks. The 'uefi.secureBoot.*' options are all a part of the extraConfig property in VirtualMachineConfigSpec. In case you are not familiar with extraConfig, I have pulled the relevant information from the VMware vSphere 6.5 Documentation Center: VMware vSphere 6.5 Documentation Library
"extraConfig: Additional configuration information for the virtual machine. This describes a set of modifications to the additional options. If the key is already present, it will be reset with the new value provided. Otherwise, a new option is added. Keys with empty values will be removed.
Configuration keys that would conflict with parameters that are explicitly configurable through other fields in the ConfigSpec object are silently ignored.
Reconfigure privilege: VirtualMachine.Config.AdvancedConfig (also required when setting this property while creating a virtual machine)"
Does this answer your question?
I was looking at the FileManager object in VMware vSphere 6.5 Documentation Library, and it seems to be that something like CopyDatastoreFile_Task should do the job here. I think that once you adjust the permission levels on the VM folder, you can use this to upload any certificate files you may need to the VM folder.
Is this still working for you guys?
Had this working. Last week I installed the latest updates on ESXi. Hardly use this VM, just for testing some EFI bootloaders + kernels we sign ourselves.
Powered on today -> Worked just fine initially
Power off and back on -> Dead as !@#$. Hangs in POST screen every time. No DHCP request, nothing but the logo (we PXE boot it).
Unregistered it, removed all files but our cert file and the .vmx from the VM folder. Reregistered it, powered on -> be surprised. Fedora 27 ISO loaded. That's... not possible with only our key DB. Or should I say shouldn't be possible? Tried PXE boot and sure enough, it doesn't work cause it doesn't import the key.
Relevant config in .vmx:
uefi.secureBoot.enabled = "TRUE"
uefi.allowAuthBypass = "TRUE"
uefi.secureBoot.dbDefault.file0 = "Our-DB.der"
Quite amazed on how this EFI stuff made it to the market. It doesn't seem to work bug free *anywhere*.