UEFI Secure Boot and OVAs

ppan48711 · ‎03-26-2020

Are there any guidelines for creating and subsequently deploying OVAs with UEFI secure boot enabled and that include the guest's NVRAM file in the OVA?

I've hit a few issues deploying OVAs that have secure boot enabled such as:

Upon import of an OVA in vSphere I get errors such as: Details: - 249:7:VALUE_ILLEGAL: vmw:ExtraConfig element ''nvram''
When deploying OVAs set to use secure boot and EFI but do not include an NVRAM file, I'll see it occasionally boot up to a secure boot security violation but if I then go and disable and re-enable UEFI secure boot in the guest's settings, I'm able to boot.

I'm running ESXi 6.7 build 8170161 and using vSphere Client 6.7.

dariusd · ‎04-05-2020

My experience with OVF/OVA is regrettably little. Are you using a version of ovftool which corresponds with your ESXi and vSphere versions? (That's about all I can think of on the OVF side of things...)

I can say though that the NVRAM is an important part of any EFI VM, and particularly so when Secure Boot is enabled. I have not tried deleting the NVRAM for a Linux guest booting through the Linux guest Secure Boot shim, but a security violation screen is probably what I would expect to see until the guest has the opportunity to reconfigure its Secure Boot shim.

--

Darius

ppan48711 · ‎04-14-2020

Thanks for the reply!

Yep, I've using a 4.x something version of ovftool that corresponds with my vSphere/ESXi environment.

To your point, the NVRAM file is core to this functionality so it's odd to me that I'd have to allow it to reconfigure itself/disable/renable secure boot for it to work.

All

UEFI Secure Boot and OVAs