DanielHansen
Contributor
Contributor

ESXi PSOD using secure boot

Trying to install ESXi 7.0.0u2 build 18538813 on a Dell Poweredge R640 in UEFI mode with secure boot enabled. Under loading of ISO I get the error "UEFI secure boot is not enabled" and ends with PSOD. When it reaches PSOD I get the error message "UEFI secure boot failed: Failed to verify signatures of following vib(s)".

I have enabled UEFI and secure boot in BIOS and updated to latest available BIOS version(2.12.2), before booting from the ISO. 

Screen shot of error in PSOD:

DanielHansen_0-1645179936855.png

 

0 Kudos
1 Reply
LabMasterBeta
Enthusiast
Enthusiast

For ESXi 6.5, 6.7, and 7.0 Secure Boot to work, you must meet the following requirements:

1.) BIOS/UEFI set to UEFI-Only mode (disable "DUAL" and CSM modes).

2.) Have a supported TPM 2.0 module installed and enabled (older TPM 1.x will not work).

3.) If available in your UEFI, also Enable Intel TXT mode (an extended security feature-subset, supported by ESXi 7.0).

4a.) All VIB must be digitally signed by the vendor.

4b.) Emphasis added: Installing any VIB that REQUIRES installing with "--no-sig-check" or "esxcli software acceptance set --level Community" then your ESXi environment is NOT using all VIB that are signed and is NOT SecureBoot compliant and will NOT work.

Tips:

It is my experience in real-world that you can receive different generic errors about SecureBoot and/or TPM Attestation which directly-related and can be caused by not complying with ANY one of these requirements.

Troubleshooting:

a.) Disable SecureBoot in UEFI/EFI firmware.

b.) Reboot and SSH or Console into ESXi as root.

c.) Run the script, "/usr/lib/vmware/secureboot/bin/secureBoot.py -c"

If ANY VIB fails the secureBoot.py system check, you CANNOT over-ride it; and you must update listed VIB with an updated digitally-signed VIB by the vendor (and, you will get a PSOD if you try to force it if ANY one of the compliance checks fails).

However to reiterate, I have seen many times a missing TPM 2.0 module or DUAL / UEFI Legacy-BIOS Compatibility Mode (CSM) being enabled etc, cause random errors with SecureBoot as well.

If an updated digitally-signed VIB update is NOT available from the vendor, then you have two choices:

*.) Verify the reason for the VIB and if you are positive its functionality is NOT required, then delete it, reboot, and try the script again. See VMware KB article 2147606 for an example of this.

*.) Decide for yourself to accept potential security issues relating to leaving SecureBoot disabled (until the required digitally-signed VIB is available).

If your host does not have a TPM 2.0 hardware chip, then you have two choices:

*.) Ask you system board vendor if they are adding Emulated TPM 2.0 functionality to their UEFI firmware sets, which avoids a physical TPM 2.0 chip for system boards that do not have a socket or method to add one (but in IMHO this not recommended as it defeats the entire concept of the hardware-based root-secure trusted platform standards).

*.) Buy and install the TPM 2.0 module on your host system board if one is available, they are usually inexpensive.

Otherwise, if any one of the requirements are unable to be met:

Buy a new host or compatible system board that has TPM 2.0 chip module, and UEFI SecureBoot capability, and is ESXi supported for only using digitally signed VIBs in your next lifecycle refresh.

Or, if budget does not currently permit, then you are forced to accept all related security risks by ignoring SecureBoot and TPM attestation and VIB signing errors, until budget permits (aka, "forklift" upgrade) - Which means, you will have to leave SecureBoot disabled to avoid PSOD until compliant.

Note, this is not just VMware products but also for example the same exact situation with Windows 11 and Windows Server 2022, so this is not a new scenario.

Did you upgrade from a prior version of ESXi? For example, it is recommended to go from 6.5 to 6.7 before going to 7.0, which helps auto-update many VIB to be compliant with 7.0 Secure Boot (among a lot of other things for 7.0).

WARNINGS!:

Before updating VIB for digital signature compliance, first validate those VIB do not have dependencies of other VIB or other things, that may need to be updated in parallel to avoid serious problems, there are KB articles to help with this at ESXCLI (if you do not use VUM), such as VMware KB article 1027206.

Once SecureBoot is successfully enabled, it is Strongly Recommended to Backup the Secure Boot Crypto Keys to a secure location for future troubleshooting, because without the Secure Boot keys backup you are forced to reinstall if anything relating to booting goes wrong with the ESXi host.

Hope this helps!

0 Kudos