VMware vSphere

 View Only

  • 1.  How can set require secure boot TRUE on esxi host

    Posted Jan 01, 2022 08:58 AM

    I am using VMware ESXi 7.0 Update 2 according to follow output secureboot has enabled on my HPE server :

    [root@host1:~] /usr/lib/vmware/secureboot/bin/secureBoot.py -c
    Secure boot can be enabled: All vib signatures verified. All tardisks validated. All acceptance levels validated
    [root@host1:~] /usr/lib/vmware/secureboot/bin/secureBoot.py -s
    Enabled

    Now I want to enable require-secure-boot but cannot set it and show follow error :

    [root@host1:~] esxcli system settings encryption set --require-secure-boot=TRUE
    Unable to change the encryption mode and policy. Verify that the current host configuration can satisfy the new requirement.

    How can solve it ?



  • 2.  RE: How can set require secure boot TRUE on esxi host

    Posted Apr 26, 2022 12:22 PM

    Make sure that you've activated TPM during installation, if not, use this command:

    esxcli system settings encryption set --mode=TPM

    Then continue as follow:

    1. Activate

    esxcli system settings encryption set --require-secure-boot=T

     2. Check

    esxcli system settings encryption get
   Mode: TPM
   Require Executables Only From Installed VIBs: false
   Require Secure Boot: true

     3. Backup the key:

    esxcli system settings encryption recovery list



  • 3.  RE: How can set require secure boot TRUE on esxi host

    Posted Apr 26, 2022 05:54 PM

    But I don't have TPM on my esxi hosts



  • 4.  RE: How can set require secure boot TRUE on esxi host

    Posted May 08, 2022 08:11 PM

     

    You must have either physical TPM 2.0 installed (e.g. module supported in UEFI to enable)

    Or sometimes in rare cases I see vendors updated UEFI firmware to "emulate" TPM 2.0 features.

    See other post here:

    https://communities.vmware.com/t5/vSphere-Hypervisor-Discussions/ESXi-PSOD-using-secure-boot/m-p/2907887#M7025



  • 5.  RE: How can set require secure boot TRUE on esxi host

    Posted 24 days ago

    Is this setting available to enforce via Host Profiles?

    Require Secure Boot: true
    -------------------------------------------

    Original Message


  • 6.  RE: How can set require secure boot TRUE on esxi host

    Posted 23 days ago

    No, this setting should be automatically enabled if you have TPM + SecureBooy enabled in your BIOS.  You would control that with hardware profiles from your vendor.  

    it's best not to ask a separate / barely related question on a 3 year old post.  It's best to start your own post.  Not many will see this post.

    -------------------------------------------

    Original Message


  • 7.  RE: How can set require secure boot TRUE on esxi host

    Broadcom Employee
    Posted Nov 09, 2022 04:32 PM

    I ran into the exact same thing and then discovered that even though my host recognized the TPM chip Secure Boot was not, in fact, enabled. DOH!!!  Check your system manual for instructions and make sure the BIOS/Firmware has secure boot enabled.

    Joe