For example “ net-tg3” and “ ntg3” or “ net-bnx2i” and “ bnxnet” I noticed a lot of drivers that seemed to be duplicates of existing drivers. When It came up with no VIBs then I was confident that Secure Boot would work. As I removed VIBs I would always re-run this to ensure I caught everything. Using this command during this process became mandatory. Using the KB’s above as a starting point, I logged in to the host and ran the following command:Īll tardisks validated. This updated some of the VIBs but not nearly all of them. The first step I tried was installing 6.7 from an ISO over the existing installation of 6.7. KB54481 Cannot enable secure boot on host upgraded to ESXi 6.7.KB2147606 Cannot enable secure boot on ESXi 6.5 or 6.7 host that was upgraded.The following KB’s give you some guidance on VIB signature issues but I’m hoping this blog will go into it a little deeper. If you have updated using VUM or via an ISO update then you may find that your VIB’s have been updated with their signatures and you are good to go. If you updated using ESXCLI then you may encounter this issue. Hence, if the VIB is not updated in the update and carried forward as is, we can’t verify its signature. Why did I get this PSOD? This is because prior to ESXi 6.5, we did not save the required VIB metadata necessary for Secure Boot to work. I rebooted into the UEFI BIOS and turned off Secure Boot until I was sure it would work. Before I could continue, I needed to fix this. Also, some of these drivers are not “Native” ESXi drivers. Well, Secure Boot is working as designed! It has encountered a number of VIBs that don’t have their VIB signatures carried over via an update. When I went in to the UEFI BIOS and enabled Secure Boot I got this. If I was using Host Profiles then I’d be booting a clean copy of ESXi and would probably not be encountering these issues! PSOD! As you can see, this caused me some heartache. Older drivers that are replaced with newer drivers, older drivers from the server vendor that are now deprecated, etc. Like many of you, I tend to just update in place and this leads to the accumulation of “stuff” on my systems. But now it was time to update the bare metal hosts. This blog article is Part 1 of a two part series on how to configure your hosts to use SecureBoot and TPM 2.0.Īll my prior testing with 6.5 and during 6.7 beta was done with nested virtualization and fresh installations. But I had a few issues before I was able to get everything working. I had gotten my Dell R630’s updated with TPM 2.0 chips and was looking forward to booting with “attested” hosts. When 6.7 went “GA” or General Availability, I was excited to get it installed and running on my bare metal hosts in my lab here at VMware.
0 Comments
Leave a Reply. |