You can absolutely enable Secure Boot on an ESXi host even if it lacks a TPM chip.
Secure Boot is fundamentally a UEFI firmware feature that relies on digital signatures, not on a physical TPM for it's core function. While combining it with a TPM offers a much stronger overall security posture through hardware-rooted trust and attestation, Secure Boot can operate independently.
To enable Secure Boot in a server with no TPM chip installed:
1. Change the BIOS boot to UEFI
NOTE: Before enabling UEFI Secure Boot on an ESXi host that was upgraded from an earlier release, check it's compatibility by running the following command on the ESXi shell:
/usr/lib/vmware/secureboot/bin/secureBoot.py -c
2. Enable Secure Boot option in settings (You have to boot the ESXi from hardware console, get to settings via F2 option and check there)
3. Verify the Secure Boot is enabled in ESXi shell to ensure.
/usr/lib/vmware/secureboot/bin/secureBoot.py -s
-------------------------------------------
----------------------------------------------------------------------------------------------------------------------------------------------------------------------
Please note that while I am a VMware employee, my participation in the VMware Communities is voluntary and not in an official capacity.
If you found my response helpful, kindly consider marking it as the Correct Answer or give Kudos. Thank you.
----------------------------------------------------------------------------------------------------------------------------------------------------------------------
Original Message:
Sent: Sep 10, 2023 01:22 AM
From: Mark Edwards
Subject: Does ESXi secure boot specifically require a TPM chip?
Hi experts, sorry if this is an obvious question.
As per question, does ESXi secure boot specifically require a TPM chip? I kind of think the answer is no, but i can't definitively find an answer to this. The documentation talks about being able to securely store the private key in a TPM chip, but doesn't make clear if the it is an absolute requirement?
My suspicion is that the private key may otherwise be stored in an NVRAM part of the UEFI chip, and that the TPM is simply a more secure alternative, but i can't validate this. Can anyone confirm?
Many Thanks