VMware Communities
ktali
Contributor
Contributor
‎12-05-2016 04:35 PM

UEFI Secure Boot support for guest Linux VM on Workstation 12 Pro

Hi,

Does Workstation Pro 12 or ESXi 6 support UEFI Secure Boot for guest Linux VM (RHEL 7.x or Cent OS 7.x) ??

I am trying to create a guest Linux VM image using either ESXi or Workstation Pro 12, that has UEFI Secure Boot enabled.

In VMWare Workstation, I enabled 'Boot with EFI instead of BIOS' setting in the Advanced settings for the guest VM.

But Still I am not able seeing the Secure Boot getting enabled in guest VM.

How can I get the secure boot enabled for the guest Linux VMs using Workstation Pro or ESXi ?

thank you,

Kumar Talinki

9 Replies
dariusd
VMware Employee
VMware Employee
‎12-05-2016 05:39 PM

Hi Kumar,

ESXi 6.5 introduces guest Secure Boot support; It should work well with recent Windows and Linux guest OSes with OS-level support for UEFI Secure Boot.  Instructions are here: Enable or Disable UEFI Secure Boot for a Virtual Machine

Note that you'll obtain best results by using no older than RHEL/CentOS 7.3 as the guest OS... There were a few issues with our device drivers (particularly SVGA driver and vmmouse driver) which were only evident with Secure Boot enabled, and those issues have only been corrected in the most recent releases.

Support for guest Secure Boot is not included in any current versions of Workstation or Fusion.  It's likely that will change in the near future, although I can't say precisely when (product version or date) that might happen.

I've been attempting to update my handy document on Using EFI/UEFI firmware in a VMware Virtual Machine, but something is going wrong with that and I can't save my edits right now, so the information there regarding Secure Boot will stay out-of-date for now.  Smiley Sad

If you're using Workstation and really want to try Secure Boot, you can always try running ESXi 6.5 as a VM inside Workstation. Smiley Wink

Cheers,

--

Darius

ktali
Contributor
Contributor
‎12-05-2016 06:31 PM

Thank you Darius.

Yes I am really going to follow your last suggestion Smiley Wink

I will try it out on ESXi 6.5.

thank you again,

Kumar Talinki

0 Kudos
ktali
Contributor
Contributor
‎12-08-2016 03:52 PM

Darius,

I upgraded my ESXi to 6.5, and created a new Cent OS 7 guest image with

Boot Options : EFI

Enable UEFI secure boot enabled.

When I start the Guest VM with CD pointing to Cent OS7 ISO image, I get the following error :

error: Can't read kernel /images/pxeboot/vmlinuz

error: you need to load kernel first

Do I need to do any UEFI specific configuration before/while installing ESXi 6.5 ?

thank you and your help is appreciated,

Kumar Talinki

0 Kudos
dariusd
VMware Employee
VMware Employee
‎12-08-2016 05:13 PM

It shouldn't need any specific configuration, as long as the guest OS has good EFI and Secure Boot support.

Which exact CentOS .iso image are you using?  (Minimal, DVD, Everything?)  I'll try it here and see what's going wrong.  I can't tell right away whether CentOS has included the signatures necessary for Secure Boot, so they might simply be lagging behind Redhat in support for Secure Boot.

Does it work if you disable Secure Boot for that VM, so it'll just try a regular EFI/UEFI boot?

Thanks,

--

Darius

0 Kudos
ktali
Contributor
Contributor
‎12-08-2016 05:29 PM

Darius,

I am using Cent OS 7 x86_x64 DVD Build 1511 (http://mirror.jaleco.com/centos/7/isos/x86_64/CentOS-7-x86_64-DVD-1511.iso)

I am seeing the same errors at boot time, whether I enable or disable, UEFI Secure Boot, for EFI boot

Does the host machine needs to use UEFI instead of BIOS to run ESXi ?

thank you,

Kumar Talinki

0 Kudos
ktali
Contributor
Contributor
‎12-08-2016 05:37 PM

Darius,

I am using Cent OS 7 x86_x64 DVD Build 1511 (http://mirror.jaleco.com/centos/7/isos/x86_64/CentOS-7-x86_64-DVD-1511.iso)

I am seeing the same errors at boot time, whether I enable or disable, UEFI Secure Boot, for EFI boot

Does the host machine needs to use UEFI instead of BIOS to run ESXi ?

The hardware I am running ESXi 6.5 on does not have any UEFI related setings, I am guessing it  does not support UEFI.

thank you,

Kumar Talinki

0 Kudos
dariusd
VMware Employee
VMware Employee
‎12-08-2016 05:40 PM

The host system's firmware is not relevant at all (neither the physical host nor the nested "host").

I would expect that the medium you're using should be EFI-bootable, but I'll set about double-checking.  In the meantime, have you checked that your downloaded .iso file is complete and has the correct checksum?  Instructions: TipsAndTricks/sha256sum - CentOS Wiki

Cheers,

--

Darius

0 Kudos
ktali
Contributor
Contributor
‎12-08-2016 06:31 PM

Darius,

thanks for the info. I was able to get  farther than Cent OS 7, with RHEL 7.3

I was able to get the Guest OS installed.

and mokutil --sb shows "SecureBoot enabled"

And I can see UEFI related keys in the system_keyring

Were you able to get the Cent OS working with UEFI Secureboot enabled?

thank you for your help,

Kumar Talinki

0 Kudos
dariusd
VMware Employee
VMware Employee
‎12-08-2016 07:56 PM

Yes, I'm able to boot CentOS-7-x86_64-DVD-1511.iso in an EFI virtual machine with Secure Boot enabled on ESXi 6.5.

Please check that your CentOS .iso file, as attached to your CentOS VM, is complete and not corrupt!

Thanks,

--

Darius

0 Kudos