添加链接
link管理
链接快照平台
  • 输入网页链接,自动生成快照
  • 标签化管理网页链接

You can choose to enable UEFI secure boot enforcement, or disable a previously enabled UEFI secure boot enforcement. You must use ESXCLI to change the setting in the TPM on the ESXi host.

This task applies only to ESXi hosts that have a TPM. UEFI Secure boot is a firmware setting for ensuring that the software launched by the firmware is trusted. To learn more, see UEFI Secure Boot for ESXi Hosts . The enablement of UEFI Secure boot can be enforced upon every boot by using the TPM.

Prerequisites

  • Have access to the ESXCLI command set. You can run ESXCLI commands remotely, or run them in the ESXi Shell.
  • Required privilege for using ESXCLI standalone version or through PowerCLI: Host . Config . Settings
  • esxcli system settings encryption get
       Mode: TPM
       Require Executables Only From Installed VIBs: false
       Require Secure Boot: true
    If secure boot enforcement is enabled, Require Secure Boot displays true. If secure boot enforcement is disabled, Require Secure Boot displays false. If Mode appears as NONE, you must enable the TPM in the host's firmware and set the mode by running the following command:
    esxcli system settings encryption set --mode=TPM
  • Enable or disable the secure boot enforcement.
  • Shut down the host gracefully.

    For example, right-click the ESXi host in the vSphere Client and select Power > Shut Down .

  • Enable secure boot in the firmware of the host.

    See your specific vendor hardware documentation.

  • Restart the host.
  • Run the following ESXCLI command.
    esxcli system settings encryption set --require-secure-boot=T
  • Verify the change.
    esxcli system settings encryption get
       Mode: TPM
       Require Executables Only From Installed VIBs: false
       Require Secure Boot: true

    Confirm that Required Secure Boot displays true.

  • To save the setting, run the following command.
    /bin/backup.sh 0
  • Disable
  • Run the following ESXCLI command.
    esxcli system settings encryption set --require-secure-boot=F
  • Verify the change.
    esxcli system settings encryption get
       Mode: TPM
       Require Executables Only From Installed VIBs: false
       Require Secure Boot: false

    Confirm that Require Secure Boot displays false.

  • To save the setting, run the following command.
    /bin/backup.sh 0

    You can choose to disable the secure boot in the firmware of the host, but at this point the dependency between the firmware setting and the TPM enforcement is no longer set.

  • Results

    ESXi host runs with secure boot enforcement enabled or disabled, depending on your choice. Note: If you do not activate a TPM when you install or upgrade to vSphere 7.0 Update 2 or later, you can do so later with the following command.
    esxcli system settings encryption set --mode=TPM
    Once you have activated the TPM, you cannot undo the setting.

    The esxcli system settings encryption set command fails on some TPMs even when the TPM is enabled for the host.

  • In vSphere 7.0 Update 2: TPMs from NationZ (NTZ), Infineon Technologies (IFX), and certain new models (like NPCT75x) from Nuvoton Technologies Corporation (NTC)
  • In vSphere 7.0 Update 3: TPMs from NationZ (NTZ)
  • If an installation or upgrade of vSphere 7.0 Update 2 or later is unable to use the TPM during the first boot, the installation or upgrade continues, and the mode defaults to NONE (that is, --mode=NONE ). The resulting behavior is as though the TPM is not activated.