You can choose to enable UEFI secure boot enforcement, or disable a previously enabled UEFI secure boot enforcement. You must use ESXCLI to change the setting in the TPM on the
ESXi
host.
This task applies only to
ESXi
hosts that have a TPM. UEFI Secure boot is a firmware setting for ensuring that the software launched by the firmware is trusted. To learn more, see
UEFI Secure Boot for ESXi Hosts
. The enablement of UEFI Secure boot can be enforced upon every boot by using the TPM.
Prerequisites
Have access to the ESXCLI command set. You can run ESXCLI commands remotely, or run them in the
ESXi
Shell.
Required privilege for using ESXCLI standalone version or through PowerCLI:
esxcli system settings encryption get
Mode: TPM
Require Executables Only From Installed VIBs: false
Require Secure Boot: true
If secure boot enforcement is enabled, Require Secure Boot displays true. If secure boot enforcement is disabled, Require Secure Boot displays false.
If Mode appears as NONE, you must enable the TPM in the host's firmware and set the mode by running the following command:
esxcli system settings encryption set --mode=TPM
Enable or disable the secure boot enforcement.
Shut down the host gracefully.
For example, right-click the
ESXi
host in the
vSphere Client
and select
.
Enable secure boot in the firmware of the host.
See your specific vendor hardware documentation.
Restart the host.
Run the following ESXCLI command.
esxcli system settings encryption set --require-secure-boot=T
Verify the change.
esxcli system settings encryption get
Mode: TPM
Require Executables Only From Installed VIBs: false
Require Secure Boot: true
Confirm that Required Secure Boot displays true.
To save the setting, run the following command.
/bin/backup.sh 0
Disable
Run the following ESXCLI command.
esxcli system settings encryption set --require-secure-boot=F
Verify the change.
esxcli system settings encryption get
Mode: TPM
Require Executables Only From Installed VIBs: false
Require Secure Boot: false
Confirm that Require Secure Boot displays false.
To save the setting, run the following command.
/bin/backup.sh 0
You can choose to disable the secure boot in the firmware of the host, but at this point the dependency between the firmware setting and the TPM enforcement is no longer set.
Results
ESXi
host runs with secure boot enforcement enabled or disabled, depending on your choice.
Note:
If you do not activate a TPM when you install or upgrade to vSphere 7.0 Update 2 or later, you can do so later with the following command.
esxcli system settings encryption set --mode=TPM
Once you have activated the TPM, you cannot undo the setting.
The
esxcli system settings encryption set
command fails on some TPMs even when the TPM is enabled for the host.
In vSphere 7.0 Update 2: TPMs from NationZ (NTZ), Infineon Technologies (IFX), and certain new models (like NPCT75x) from Nuvoton Technologies Corporation (NTC)
In vSphere 7.0 Update 3: TPMs from NationZ (NTZ)
If an installation or upgrade of vSphere 7.0 Update 2 or later is unable to use the TPM during the first boot, the installation or upgrade continues, and the mode defaults to NONE (that is,
--mode=NONE
). The resulting behavior is as though the TPM is not activated.