Virtual Machine secure boot

rkerur · ‎10-01-2022

Hello,

I want to enable UEFI secure boot on a virtual machine(Linux based OS) running on VMWare ESXi. I searched for relevant documents and I came across

https://docs.vmware.com/en/VMware-vSphere/7.0/com.vmware.vsphere.security.doc/GUID-5D5EE0D1-2596-43D...

Which basically says the ESXi secure boot requires TPM enabled hardware(server) for storing keys. Is TPM enabled hardware(server) mandatory or ESXi secure boot will work on non-TPM based hardware(server) by storing keys in flash/nvram?

After ESXi host secure boot is enabled, I want my Linux based virtual machine secure boot enabled as well. I came across

https://docs.vmware.com/en/VMware-vSphere/7.0/com.vmware.vsphere.security.doc/GUID-898217D4-689D-4EB...

Which basically says

Click the VM Options tab, and expand Boot Options.
Under Boot Options, ensure that firmware is set to EFI.
Select your task.
- Select the Secure Boot check box to enable secure boot.
- Deselect the Secure Boot check box to disable secure boot.

It doesn't mention where to store virtual machine specific keys so UEFI firmware can use to secure boot the virtual machine on ESXi.

I looked at how Qemu/KVM does this and it clearly documents that OVMF firmware and they provide a variables file (“VARS”) with default UEFI keys enrolled or I can generate my own keys.

If I want to install secure boot virtual machine on ESXi host how do I provide keys so when virtual machine boots it UEFI firmware certifies it.

Thanks,

Ravi

All

Virtual Machine secure boot

hello