vSphere - ESXi Security

#VCP ## Secure boot Part of the UEFI standard, refuses to load any UEFI driver or app unlsess the ESXi bootloader is cryptographically signed. ### Boot sequence ESXi bootloader contains a VMware public key, the bootloader uses the public key to verify the signature of the kernel and subset systems with boot VIB verifier. The VIB verifier verifies every VIB package installed on the system. With TPM, the tpm seals the information by using TPM policy based on PCR valus for Secure boot. [![The UEFI secure boot stack includes multiple elements, explained in the text.](https://docs.vmware.com/en/VMware-vSphere/8.0/vsphere-security/images/GUID-AACA1A15-B7AC-46AF-81D1-92657FF3FDB6-high.png)](https://docs.vmware.com/en/VMware-vSphere/8.0/vsphere-security/images/GUID-AACA1A15-B7AC-46AF-81D1-92657FF3FDB6-high.png) ### Requirements - ESXi installed on UEFI - Secure boot enabled in BIOS - vSphere 6.5 or later - no old VIBs from previous ESXi versions remained on the system - check with `/usr/lib/vmware/secureboot/bin/secureBoot.py -c` ### Error messages `UEFI0073: Unable to boot PXE Device...because of the Secure Boot policy` If you attempt to boot with a bootloader that is unsigned or has been tampered with during the boot sequence. Exact message depends on Hardware vendor `Fatal error: 39 (Secure Boot Failed)` Kernel has been tampered with `UEFI Secure Boot failed: Failed to verify signatures of the following vibs (XX)` If a package VIB or driver has been tampered with, PSOD will occur with the above message ### Resolving secureboot issues 1. Reboot host with deactivated secureboot 2. run the secureboot verification script ([[https://docs.vmware.com/en/VMware-vSphere/8.0/vsphere-security/GUID-5D5EE0D1-2596-43D7-95C8-0B29733191D9.html#GUID-DD075A38-8900-459F-BD9D-69DC87CCE11B "After you upgrade an ESXi host from a version that does not support UEFI secure boot, you must check if you can activate secure boot."]]) 3. examine the information in `/var/log/esxupdate.log` ## Execinstalled only helps protect hosts against ransomware attacks, the runtime option is enabled on ESXi 8.0 per default. It ensures that the VMkernel executes only binaries on a host that have been signed as part of a valid VIB. It is both a boot and runtime option, was introduced in ESXi 5.5. The boot option can be inforced using TPM. execinstalledOnly runtime can be disabled `esxcli system settings advanced set -o /User/execInstalledOnly -i 0` ## ESXi host firewall no impact on VM traffic, specifically only for the ESXi host itself. ## Lockdown mode Way to make the ESXi Host only available through vCenter or DCUI. Exception users can be defined. - off - lockdown is not enabled, ESXi host can be managed directly - normal - ESXi host can only be managed through vCenter and DUI - exceptions user can still access ESXi host through the webclient and DCUI - strict - ESXi host can only be managed through vCenter - exceptions user can still access ESXi host through the webclient ## 🔗Resources ### Secureboot - https://docs.vmware.com/en/VMware-vSphere/8.0/vsphere-security/GUID-5D5EE0D1-2596-43D7-95C8-0B29733191D9.html