The ESXi host must implement Secure Boot enforcement.

Overview

Finding ID	Version	Rule ID	IA Controls	Severity
V-258740	ESXI-80-000085	SV-258740r933281_rule		Medium

Description
Secure Boot is part of the UEFI firmware standard. With UEFI Secure Boot enabled, a host refuses to load any UEFI driver or app unless the operating system bootloader has a valid digital signature. Secure Boot for ESXi requires support from the firmware and it requires that all ESXi kernel modules, drivers, and VIBs be signed by VMware or a partner subordinate. Secure Boot is enabled in the BIOS of the ESXi physical server and supported by the hypervisor boot loader. This control flips ESXi from merely supporting Secure Boot to requiring it. Without this setting enabled, and configuration encryption, an ESXi host could be subject to offline attacks. An attacker could simply transfer the ESXi install drive to a non-Secure Boot host and boot it up without ESXi complaining. Satisfies: SRG-OS-000257-VMM-000910, SRG-OS-000258-VMM-000920, SRG-OS-000445-VMM-001780, SRG-OS-000446-VMM-001790

Description

Secure Boot is part of the UEFI firmware standard. With UEFI Secure Boot enabled, a host refuses to load any UEFI driver or app unless the operating system bootloader has a valid digital signature. Secure Boot for ESXi requires support from the firmware and it requires that all ESXi kernel modules, drivers, and VIBs be signed by VMware or a partner subordinate. Secure Boot is enabled in the BIOS of the ESXi physical server and supported by the hypervisor boot loader. This control flips ESXi from merely supporting Secure Boot to requiring it. Without this setting enabled, and configuration encryption, an ESXi host could be subject to offline attacks. An attacker could simply transfer the ESXi install drive to a non-Secure Boot host and boot it up without ESXi complaining. Satisfies: SRG-OS-000257-VMM-000910, SRG-OS-000258-VMM-000920, SRG-OS-000445-VMM-001780, SRG-OS-000446-VMM-001790

STIG	Date
VMware vSphere 8.0 ESXi Security Technical Implementation Guide	2023-10-11

Details

Check Text ( C-62480r933279_chk )
If the ESXi host does not have a compatible TPM, this finding is downgraded to a CAT III. From an ESXi shell, run the following command: # esxcli system settings encryption get or From a PowerCLI command prompt while connected to the ESXi host, run the following commands: $esxcli = Get-EsxCli -v2 $esxcli.system.settings.encryption.get.invoke() \| Select RequireSecureBoot Expected result: Require Secure Boot: true If "Require Secure Boot" is not enable, this is a finding.

Check Text ( C-62480r933279_chk )

If the ESXi host does not have a compatible TPM, this finding is downgraded to a CAT III.

From an ESXi shell, run the following command:

# esxcli system settings encryption get

or

From a PowerCLI command prompt while connected to the ESXi host, run the following commands:

$esxcli = Get-EsxCli -v2
$esxcli.system.settings.encryption.get.invoke() | Select RequireSecureBoot

Expected result:

Require Secure Boot: true

If "Require Secure Boot" is not enable, this is a finding.

Fix Text (F-62389r933280_fix)
This setting cannot be configured until Secure Boot is properly enabled in the servers firmware. From an ESXi shell, run the following commands: # esxcli system settings encryption set --require-secure-boot=true # /sbin/auto-backup.sh or From a PowerCLI command prompt while connected to the ESXi host, run the following commands: $esxcli = Get-EsxCli -v2 $arguments = $esxcli.system.settings.encryption.set.CreateArgs() $arguments.requiresecureboot = $true $esxcli.system.settings.encryption.set.Invoke($arguments) Evacuate the host and gracefully reboot for changes to take effect.

Fix Text (F-62389r933280_fix)

This setting cannot be configured until Secure Boot is properly enabled in the servers firmware.

From an ESXi shell, run the following commands:

# esxcli system settings encryption set --require-secure-boot=true
# /sbin/auto-backup.sh

or

From a PowerCLI command prompt while connected to the ESXi host, run the following commands:

$esxcli = Get-EsxCli -v2
$arguments = $esxcli.system.settings.encryption.set.CreateArgs()
$arguments.requiresecureboot = $true
$esxcli.system.settings.encryption.set.Invoke($arguments)

Evacuate the host and gracefully reboot for changes to take effect.