Solved: UCSX-210C - ESXi OS Installation with UEFI Secure Boot - unsupported

Big Vern · ‎12-18-2024

Background:
Hardware: Cisco UCSX-210C-M7
BIOS Firmware Version: X210M7.4.3.5a.0.0905240935
TPM: Enabled, Version 2.0 (Model: UCSX-TPM-002C)
ESXi Version: VMware ESXi 8.0.3, 24022 / vCenter 8.0.3

We have successfully installed ESXi in 7 servers on prem with UEFI and Secure boot. (All done through intersight)
We did this manually with a CISCO OEM image ISO and KVM, no errors and install went fine.

Then when looking at something else I come across the fact that this is not supported ??!
https://intersight.com/help/saas/resources/operating_system_installation_overview#supported_operating_systems_for_intersight_managed_mode_servers

Following thought to *3 in 'Attention'

https://intersight.com/help/saas/resources/installing_an_operating_system#os_installation_with_uefi_secure_boot

Still makes no mention of ESXi being supported

Can someone explain this as though Im a novice with UCS (Which I am)
are we now running an unsupported setup?

Steven Tardy · ‎12-18-2024

Per VMware[1] `firstboot` is NOT supported when using UEFI secure boot.

[1] https://communities.vmware.com/t5/ESXi-Discussions/ESXi-automated-KS-install-with-EFI-Secure-Boot-skipping/td-p/2246111

Spoke with Engineering and this is actually by design. If you have Secure Boot enabled, %firstboot is not supported. 
The reason for this is Secure Boot mandates only known tardisks can hold executable scripts, 
and a kickstart script is an unknown source so it can not run when Secure Boot is enabled. 
If you wish to continue to use %firstboot, 
the only option is to disable Secure Boot an then enable it after the installation. 
An alternative option is to convert your %firstboot logic into an external script 
which can then be applied using the vSphere API (preferred method) and 
this way you can still customize your ESXi host after the initial installations. 
I have filed an internal documentation bug to add a note regarding Secure Boot and %firstboot

Broadcom acquisition broke the link, but archive.org works great. (;

VMware doesn't want non-blessed code being run if "secure" boot is enabled.
So any `firstboot` logic needs to be incorporated into a .vib and signed/blessed by VMware.
If `firstboot` logic needs to change depending on installation choices, then the only option is to:

disable secure boot,
complete the installation including `firstboot`,
re-enable secure boot.

Intersight docs state this supported UEFI two-step (or is it three-step) is what is happening:

In Cisco mode and Custom mode, the UEFI Secure Boot gets disabled during the workflow 
and is re-enabled automatically after installation.

View solution in original post

Steven Tardy · ‎12-18-2024

Per VMware[1] `firstboot` is NOT supported when using UEFI secure boot.

[1] https://communities.vmware.com/t5/ESXi-Discussions/ESXi-automated-KS-install-with-EFI-Secure-Boot-skipping/td-p/2246111

Spoke with Engineering and this is actually by design. If you have Secure Boot enabled, %firstboot is not supported. 
The reason for this is Secure Boot mandates only known tardisks can hold executable scripts, 
and a kickstart script is an unknown source so it can not run when Secure Boot is enabled. 
If you wish to continue to use %firstboot, 
the only option is to disable Secure Boot an then enable it after the installation. 
An alternative option is to convert your %firstboot logic into an external script 
which can then be applied using the vSphere API (preferred method) and 
this way you can still customize your ESXi host after the initial installations. 
I have filed an internal documentation bug to add a note regarding Secure Boot and %firstboot

Broadcom acquisition broke the link, but archive.org works great. (;

VMware doesn't want non-blessed code being run if "secure" boot is enabled.
So any `firstboot` logic needs to be incorporated into a .vib and signed/blessed by VMware.
If `firstboot` logic needs to change depending on installation choices, then the only option is to:

disable secure boot,
complete the installation including `firstboot`,
re-enable secure boot.

Intersight docs state this supported UEFI two-step (or is it three-step) is what is happening:

In Cisco mode and Custom mode, the UEFI Secure Boot gets disabled during the workflow 
and is re-enabled automatically after installation.

Big Vern · ‎12-18-2024

Firstly thanks you so much for the comprehensive and quick reply.
If I can be basic to clarify for my own understanding please?;
So as we did not use any scripts, (manual install using KVM via intersight and CISCO OEM Image) we are fully supported. ?

As side note re. the documentation nowhere (that we can see/understand) in the documentation does it explicitly state (after it clearly states "UEFI Secure Boot" is not supported for ESXi) that the disable/reenable workflow moves you into a supported position., - maybe we are misreading or misunderstanding that it relates solely to script installs (which again it does not state, or is not clear to us if that is the position)

many thanks !

Steven Tardy · ‎12-19-2024

With that being under section:

OS Installation with UEFI Secure Boot

I take it as auto-magical OS installation through Intersight with UEFI secure boot with ESXi isn't supported.

But if you install ESXi manually and enable UEFI Secure Boot after should still be a thing and supported.