Manual Update of the Secure Boot Platform Key in Virtual Machines

Products

VMware vSphere ESXi 8.0 VMware vSphere ESXi

Issue/Introduction

Virtual machines that do not have a valid Platform Key (PK) fail to complete automated updates to Secure Boot databases, including DB, DBX, and KEK.

Environment

ESXi 7.x.
ESXi 8.x.
ESX 9.x.

Cause

The Platform Key (PK) on some virtual machines has an invalid signature, which causes updates to the KEK database to fail. As a result, the automated Secure Boot update process fails and reports error events/logs.

Resolution

Update the Platform Key that has an invalid signature by replacing it with the Windows OEM Device Key before performing any automated updates to the Secure Boot databases.

Caution: If a vTPM is present and disk encryption software (such as BitLocker on Windows or LUKS on Linux) is sealed to specific TPM PCR registers, preparatory steps are required before performing the key update. These steps include creating a VM snapshot, saving the recovery key (for BitLocker-type solutions), or temporarily disabling TPM-sealed disk encryption.

Manual Update Process for ESXi Releases.

Shutdown the Virtual Machine.
Take snapshot of the VM.
Attach a disk containing the Microsoft PK (see Disk Preparation section).
Enable Secure Boot variable update without authentication by adding VMX advanced option.
1. Select the VM from vSphere Client and navigate to:
  
  VC 7.x: Edit Settings → VM Options → Advanced → Edit Configuration
  VC 8.x and 9.x: Edit Settings → Advanced Parameters
  
  Refer documentation below:
  Configure Virtual Machine Advanced File Parameters (8.x/9.x)
  Edit Configuration File Parameters (7.x)
2. Add new option: uefi.allowAuthBypass = "TRUE"
Force the VM to enter Setup Mode:
1. Edit Settings → VM Options → Boot Options
2. Enable Force EFI Setup
Power on the VM.
Navigate to Enter Setup → Secure Boot Configuration → PK Options → Enroll PK
1. Select the PK file from disk
2. Review
3. Commit changes and exit
After the update, remove the VMX entry:

uefi.allowAuthBypass = "TRUE"
Remove the disk added in Step 3 from the VM.
Reboot the Virtual Machine.
After completing the update and rebooting the virtual machine, verify that the Platform Key has been updated successfully by executing below commands.
1. Linux
  mokutil --pk
2. Windows
  1. Open Windows PowerShell
  2. Execute the commands below:
    
    $pk = Get-SecureBootUEFI -Name PK
    $bytes = $pk.Bytes
    $cert = $bytes[44..($bytes.Length-1)]
    [IO.File]::WriteAllBytes("PK.der", $cert)
    certutil -dump PK.der

Disk Preparation for Platform Key Update

A temporary FAT32 disk is required to stage the Platform Key (PK) and related certificates for the Secure Boot update process.

Linux (Ubuntu / Debian)

Add and Prepare a 128-MB FAT32 Disk
1. Add a 128-MB virtual disk to the virtual machine.
2. Identify the newly added disk:
  
  lsblkNote: Assuming the newly added disk is detected as /dev/sdb.
3. Format the disk as FAT32 and assign a label:
  
  sudo mkfs.vfat -F 32 -n KEYUPDATE /dev/sdb
4. Create a mount point and mount the disk:
  
  sudo mkdir -p /mnt/keys sudomount /dev/sdb /mnt/keys
5. Verify that the disk is mounted successfully:
  
  mount | grep keys
Download Platform Key (PK) Certificate
1. Download the required certificate from Microsoft :
  1. Platform Key (PK) - WindowsOEMDevicesPK.der
Copy Certificates and Unmount the Disk.
1. Copy the certificate files to the FAT32 disk:
  
  sudo cp WindowsOEMDevicesPK.der /mnt/keys
2. Unmount the disk:
  
  sudo umount /mnt/keys

Windows

Add a 128-MB virtual disk to the virtual machine.
Format the Disk as FAT32
1. GUI Method
  1. Press Win + R
  2. Type diskmgmt.msc and press Enter
  3. Use Disk Management to format the disk as FAT32
2. Command Line Method
  
  format /FS:FAT32 X
  
  Note: Replace X: with the appropriate drive letter.
Download Platform Key (PK) Certificate
1. Download the required certificate from Microsoft :
  1. Platform Key (PK) - WindowsOEMDevicesPK.der
Copy the certificate to the newly partitioned volume with 128MB size.