VMware vSphere

 View Only
  • 1.  Does ESXi secure boot specifically require a TPM chip?

    Posted Sep 10, 2023 01:23 AM

    Hi experts, sorry if this is an obvious question.

     

    As per question, does ESXi secure boot specifically require a TPM chip? I kind of think the answer is no, but i can't definitively find an answer to this. The documentation talks about being able to securely store the private key in a TPM chip, but doesn't make clear if the it is an absolute requirement?

     

    My suspicion is that the private key may otherwise be stored in an NVRAM part of the UEFI chip, and that the TPM is simply a more secure alternative, but i can't validate this. Can anyone confirm? 

     

    Many Thanks 



  • 2.  RE: Does ESXi secure boot specifically require a TPM chip?

    Posted Sep 10, 2023 01:14 PM

    TPM modul is for something different. 

    For secure boot mostly uefy setting are used



  • 3.  RE: Does ESXi secure boot specifically require a TPM chip?

    Posted Sep 10, 2023 01:17 PM

    Secure boot does not require a TPM module and is part of the UEFI firmware standard.

    Check out this VMware doc link

    UEFI Secure Boot for ESXi Hosts (vmware.com)



  • 4.  RE: Does ESXi secure boot specifically require a TPM chip?

    Posted Sep 10, 2023 01:58 PM

     wrote:

    Secure boot does not require a TPM module and is part of the UEFI firmware standard.

    Check out this VMware doc link

    UEFI Secure Boot for ESXi Hosts (vmware.com)


    Thanks Rob, I read that very article, but it wasn't clear from the TPM reference, if it was optional or required, or where it stores the private key if a TPM chip isn't present. I couldn't really find that documented anywhere.

    Thanks for confirming my suspicions though 

     

     

     



  • 5.  RE: Does ESXi secure boot specifically require a TPM chip?

    Broadcom Employee
    Posted 2 days ago
    Edited by Zakir Gonal 19 hours ago
    You can absolutely enable Secure Boot on an ESXi host even if it lacks a TPM chip. 
     
    Secure Boot is fundamentally a UEFI firmware feature that relies on digital signatures, not on a physical TPM for it's core function. While combining it with a TPM offers a much stronger overall security posture through hardware-rooted trust and attestation, Secure Boot can operate independently.
     
    To enable Secure Boot in a server with no TPM chip installed:
     
    1. Change the BIOS boot to UEFI
     
    NOTE: Before enabling UEFI Secure Boot on an ESXi host that was upgraded from an earlier release, check it's compatibility by running the following command on the ESXi shell:
     
    /usr/lib/vmware/secureboot/bin/secureBoot.py -c
     
    2. Enable Secure Boot option in settings (You have to boot the ESXi from hardware console, get to settings via F2 option and check there) 
    3. Verify the Secure Boot is enabled in ESXi shell to ensure.
     
    /usr/lib/vmware/secureboot/bin/secureBoot.py -s

    -------------------------------------------
    ----------------------------------------------------------------------------------------------------------------------------------------------------------------------
    Please note that while I am a VMware employee, my participation in the VMware Communities is voluntary and not in an official capacity.
    If you found my response helpful, kindly consider marking it as the Correct Answer or give Kudos. Thank you.
    ----------------------------------------------------------------------------------------------------------------------------------------------------------------------