Manual Update of the Secure Boot Platform Key in Virtual Machines
search cancel

Manual Update of the Secure Boot Platform Key in Virtual Machines

book

Article ID: 423919

calendar_today

Updated On:

Products

VMware vSphere ESXi 8.0 VMware vSphere ESXi

Issue/Introduction

Virtual machines that do not have a valid Platform Key (PK) fail to complete automated updates to Secure Boot databases, including DB, DBX, and KEK.

Environment

  • VMware ESXi Server 7.x.
  • VMware ESXi Server 8.x.
  • VMware ESXi Server 9.x.

Cause

The Platform Key (PK) on virtual machines has an invalid signature, which causes updates to the Key Exchange Key (KEK) database to fail. As a result, the automated Secure Boot update process fails and reports error events or logs.

Note: This knowledge article replaces a previous article (KB 421593) to avoid suggestions of deleting NVRAM, as that behavior can lead to unexpected corruptions of the associated VM.

Resolution

Update the Platform Key that has an invalid signature by replacing it with the Windows OEM Device Key before performing any automated updates to the Secure Boot databases.

Caution: If a vTPM is present and disk encryption software (such as BitLocker on Windows or LUKS on Linux) is sealed to specific TPM PCR registers, preparatory steps are required before performing the key update. These steps include creating a VM snapshot, saving the recovery key (for BitLocker-type solutions), or temporarily disabling TPM-sealed disk encryption.

Manual Update Process for ESXi Releases

  1. Shutdown the Virtual Machine.
  2. Take snapshot of the VM.
  3. Attach a disk containing the Microsoft PK (see Disk Preparation for Platform Key Update section below).
  4. Enable Secure Boot variable update without authentication by adding VMX advanced option.
  5. Force the VM to enter Setup Mode:
    • Edit Settings > VM Options > Boot Options
    • Enable Force EFI Setup
  6. Power on the VM.
  7. Navigate to Enter Setup > Secure Boot Configuration > PK Options > Enroll PK
    • Select the PK file from disk.
    • Review.
    • Commit changes and exit.
  8. After the update, remove the VMX entry: uefi.allowAuthBypass = "TRUE"
  9. Remove the disk added in Step 3 from the VM.
  10. Reboot the Virtual Machine.
  11. After completing the update and rebooting the virtual machine, verify that the Platform Key is updated successfully by executing the commands below.
    • Linux
      mokutil --pk
    • Windows
      • Open Windows PowerShell
      • Execute the commands below:
        $pk = Get-SecureBootUEFI -Name PK
$bytes = $pk.Bytes
$cert = $bytes[44..($bytes.Length-1)]
[IO.File]::WriteAllBytes("PK.der", $cert)
certutil -dump PK.der

Disk Preparation for Platform Key Update

A temporary FAT32 disk is required to stage the Platform Key (PK) and related certificates for the Secure Boot update process.

Linux (Ubuntu / Debian)

  1. Add and prepare a 128-MB FAT32 Disk
    • Add a 128-MB virtual disk to the virtual machine.
    • Identify the newly added disk: lsblk
      Note: Assuming the newly added disk is detected as /dev/sdb.
    • Format the disk as FAT32 and assign a label: sudo mkfs.vfat -F 32 -n KEYUPDATE /dev/sdb
    • Create a mount point and mount the disk:
      sudo mkdir -p /mnt/keys
sudo mount /dev/sdb /mnt/keys
    • Verify that the disk is mounted successfully: mount | grep keys
  2. Download Platform Key (PK) Certificate
  3. Copy Certificates and Unmount the Disk.
    • Copy the certificate files to the FAT32 disk: sudo cp WindowsOEMDevicesPK.der /mnt/keys
    • Unmount the disk: sudo umount /mnt/keys

Windows

  1. Add a 128-MB virtual disk to the virtual machine.
  2. Format the Disk as FAT32
    • GUI Method
      • Press Win + R.
      • Type diskmgmt.msc and press Enter.
      • Use Disk Management to format the disk as FAT32.
    • Command Line Method: format /FS:FAT32 X:
      Note: Replace X: with the appropriate drive letter.
  3. Download Platform Key (PK) Certificate
  4. Copy the certificate to the newly partitioned volume with 128MB size.

Additional Information

Manual Process to Update KEK

To manually update the KEK certificate on the virtual machine, follow the instructions below:

  1. Download the updated certificate from Microsoft via the link https://go.microsoft.com/fwlink/?linkid=2239775.
  2. Convert the certificate to DER format using the openssl command below:
    openssl x509 -inform der -in KEK.cer -outform der -out KEK-2023.der
  3. Copy the converted certificate in DER format (KEK-2023.der) to the disk mentioned in the Disk Preparation for Platform Key Update step under the Resolution section above.
  4. Boot the VM into EFI setup again.
  5. Update the KEK by selecting the below menu options:
    1. Secure Boot Configuration
    2. KEK Options
    3. Enroll KEK
    4. Select the file KEK-2023.der
    5. Commit Changes and Exit

Additional Issues

  1. On Windows, if an error like the following is reported when applying the PK cert, try downloading the .der file again as it may have been corrupted in transport:
    Only DER encoded certificate file (*.cer/der/crt) is supported
  2. Alternatively, a PEM version of the cert can be downloaded from the link https://go.microsoft.com/fwlink/?linkid=2255361 and then converted into DER format using the openssl command below:
    openssl x509 -inform der -in PK.cer -outform der -out PK.der
Powered by Wolken Software