Are there any guidelines for creating and subsequently deploying OVAs with UEFI secure boot enabled and that include the guest's NVRAM file in the OVA?
I've hit a few issues deploying OVAs that have secure boot enabled such as:
I'm running ESXi 6.7 build 8170161 and using vSphere Client 6.7.
My experience with OVF/OVA is regrettably little. Are you using a version of ovftool which corresponds with your ESXi and vSphere versions? (That's about all I can think of on the OVF side of things...)
I can say though that the NVRAM is an important part of any EFI VM, and particularly so when Secure Boot is enabled. I have not tried deleting the NVRAM for a Linux guest booting through the Linux guest Secure Boot shim, but a security violation screen is probably what I would expect to see until the guest has the opportunity to reconfigure its Secure Boot shim.
--
Darius
Thanks for the reply!
Yep, I've using a 4.x something version of ovftool that corresponds with my vSphere/ESXi environment.
To your point, the NVRAM file is core to this functionality so it's odd to me that I'd have to allow it to reconfigure itself/disable/renable secure boot for it to work.