Hello,
Environment: B200 M4 blades, all managed by UCS Central, vCenter 6.7 with AutoDeploy
Forgive me if this was already stated and my limited understanding of SecureBoot and TPM. I am trying to stateless boot ESXi 6.7 hosts with vCenter's AutoDeploy feature. Most articles I'm finding are for boot from SAN or local disk.
I can successfully boot the host with AutoDeploy with the boot policy set to legacy mode. However, I get the TPM Attestation alert on the host once it's booted. If I disable the TPM in BIOS, I get the config issue "Unable to provision Endorsement Key on TPM 2.0 device: No RSA Endorsement Key certificate found in TPM 2.0 device's non-volatile memory." It's not a critical alert like the attestation warning, but it's there, for obvious reasons.
If i switch the boot profile to UEFI and SecureBoot, and change DHCP to present the UEFI boot image (VMWare provided iPXE image), I get an "invalid signature detected" upon boot. My understanding is that the VMware iPXE image is not signed by a Microsoft CA or Cisco CA: https://kb.vmware.com/s/article/2148532
There is also a bug CSCvd89769 for ESXi 6.5 Secure Boot Support but it is not clear whether or not it's from AutoDeploy or SAN boot.
Cisco does not currently provide any way to whitelist certificates within UEFI, at least from a UCS Central standpoint, unless I'm mistaken. Is there a way to add or create a secure boot policy with the vmware certificate?
edit: I see here:
https://www.cisco.com/c/en/us/td/docs/unified_computing/ucs/ucs-manager/CLI-User-Guides/Server-Mgmt/3-2/b_Cisco_UCS_Manager_Server_Mgmt_CLI_Guide_3_2/b_Cisco_UCS_Manager_Server_Mgmt_CLI_Guide_3_2_chapter_01011.html
