Sergey Nivens - Fotolia

How does ESXi secure boot improve vSphere security?

VMware vSphere 6.5 takes an extra security step, building on UEFI secure boot with added cryptographic validation to all ESXi components.

VMware vSphere 6.5 added numerous features designed to improve the security of virtual machines both at rest and...

in flight, and enhance the security details provided with logs, reports and new features called ESXi secure boot and virtual machine secure boot.

Administrators can use these vSphere security tools to prevent unauthorized snooping or tampering with VMs, and receive more detailed alerts of changes that might suggest malicious activities, resulting in faster containment and corrective actions.

As with any new features, it's important to understand requirements and prerequisites, test new behaviors to gain experience, identify and resolve any deployment problems -- especially with vSphere security -- and establish the processes to manage new features before implementing them in a production environment.

Unauthorized alterations or modifications in an operating system like Microsoft Windows or VMware ESXi can portend serious security breaches that may be difficult -- even impossible -- to detect without deliberate scanning and other careful investigation.

Improve vSphere security with ESXi secure boot

One emerging way to protect the integrity of an OS at boot time is to validate the kernel against a trusted source of truth such as a digital certificate. The secure boot feature available in Unified Extensible Firmware Interface (UEFI) firmware is capable of validating the digital signature of an OS kernel and other components against a trusted digital certificate included in the UEFI firmware.

Typically, each major component of the OS that supports UEFI secure boot will be signed. This may include the boot loader, kernel and drivers. Microsoft provides some UEFI certificates suitable for booting Windows as well as some third-party code like Linux boot loaders. VMware also offers a certificate for booting ESXi inside a VM. At boot time, the OS is considered validated if the certificate matches the signature, and the boot process can proceed.

VMware vSphere security takes this validation process even further with ESXi secure boot, which adds cryptographic validation to all of ESXi components. The idea is that ESXi is composed of a series of digitally signed packages arranged into a vSphere installation bundle (VIB). Once the UEFI secure boot validates the ESXi kernel, the ESXi kernel will use the same digital certificate to validate each VIB -- ensuring that all ESXi components within the VM are intact and unaltered.

How to implement ESXi secure boot

You can only implement ESXi secure boot can in the vSphere Web Client when UEFI firmware is available on the host system, the operating system intended for the VM supports UEFI secure boot, and the hypervisor supports virtual hardware version 13 or later.

Select the desired virtual machine, open the Edit Settings dialog, verify that firmware is set to EFI -- not UEFI -- check the Enable secure boot check box, and then select OK.

Even when all requirements are met, you need to power the VM off before enabling secure boot. Then you have to restart the VM after you enable secure boot in order for secure boot to take effect.

Remember that once you enable ESXi secure boot, only operating system components with valid manufacturers' signatures can boot. If a signature is missing or invalid for any OS component, the boot process for that VM will stop and return an error -- there is no way to force the installation of unsigned OS components.

It's a good idea to test secure boot behavior on a test VM in a lab setting before attempting to enable secure boot in a production environment. This allows IT administrators to troubleshoot and remedy possible vSphere security errors more effectively.

Next Steps

Security gets a boost in vSphere 6.5 with VM encryption

VMware puts the spotlight on security with vSphere 6.5 features

VM encryption adds security at the hypervisor level

Dig Deeper on Securing a VMware environment