VMware ESXi Secure boot support for
Dell PowerEdge Servers
VMware supports UEFI Secure boot on versions ESXi 6.5 or later. UEFI Secure boot in general verifies the integrity of every package that is loaded as part of the operating system bootup. Secure boot verifies the integrity of the vSphere Installation Bundle (VIB) packages that are loaded from the boot device.
ESXi Secure boot workflow
The
mboot boot loader in ESXi contains a VMware public key and is validated against the Certificate Authority (CA) present in the platform BIOS UEFI Secure boot authorized database during ESXi boot. The boot loader uses this key to verify the signature of the kernel and a small subset of systems that includes a Secure boot VIB verifier, a VIB package that is used for validating the signature of the drivers and other VIB packages that are loaded from the boot device. If any of the VIB installed on ESXi does not match with the signature of the public key that is contained in the bootloader, and then ESXi boot ends up with the Purple Screen Of Death (PSOD) mentioning a signature mismatch for the specific failing VIBs.
Figure 1. ESXi Secure boot
The BIOS of Dell PowerEdge systems is preconfigured with the VMware Certificate Authority (VMCA) in the UEFI Secure boot authorized database. Download the latest server BIOS from the
Dell support page before enabling UEFI Secure boot.
NOTE: UEFI Secure boot is supported only on Dell yx3x PowerEdge systems or later.
For more information about Secure boot, see the following pages:
