Verify Platform Key content integrity from vSphere.
search cancel

Verify Platform Key content integrity from vSphere.

book

Article ID: 442672

calendar_today

Updated On:

Products

VMware vSphere ESXi

Issue/Introduction

Before ESXi 8.0U3j, when powering on VM for the first time, a PK(Platform Key) with empty content will be generated from host by design.

This has been fixed in ESXi 8.0U3j. This article introduces 2 ways to verify the PK content integrity at vSphere level.

Resolution

※ The VM should be at least powered on once before verification.

Approach 1

  • Connect via SSH to the host where the VM is registered.
  • Change directory to the VM folder.
    cd /vmfs/volumes/<Datastore-Name>/<VM-Name>
  • Search PK from .nvram file.
    hexdump -C *nvram | grep -B15 PK
  • If similar content is detected, the PK's integrity is verified.
########  ## ## ## ## ## ## ##  ## ## ## ## ## ## ## ##  |Z1.0...U....US1.|
########  ## ## ## ## ## ## ##  ## ## ## ## ## ## ## ##  |0...U....Microso|
########  ## ## ## ## ## ## ##  ## ## ## ## ## ## ## ##  |ft Corporation1+|
########  ## ## ## ## ## ## ##  ## ## ## ## ## ## ## ##  |0)..U..."Microso|
########  ## ## ## ## ## ## ##  ## ## ## ## ## ## ## ##  |ft RSA Third Par|
########  ## ## ## ## ## ## ##  ## ## ## ## ## ## ## ##  |ty PCA 20230...2|
########  ## ## ## ## ## ## ##  ## ## ## ## ## ## ## ##  |30921202826Z..38|
########  ## ## ## ## ## ## ##  ## ## ## ## ## ## ## ##  |0918202826Z0u1.0|
########  ## ## ## ## ## ## ##  ## ## ## ## ## ## ## ##  |...U....US1.0...|
########  ## ## ## ## ## ## ##  ## ## ## ## ## ## ## ##  |U....Washington1|
########  ## ## ## ## ## ## ##  ## ## ## ## ## ## ## ##  |.0...U....Redmon|
########  ## ## ## ## ## ## ##  ## ## ## ## ## ## ## ##  |d1.0...U....Micr|
########  ## ## ## ## ## ## ##  ## ## ## ## ## ## ## ##  |osoft Corporatio|
########  ## ## ## ## ## ## ##  ## ## ## ## ## ## ## ##  |n1.0...U....Wind|
########  ## ## ## ## ## ## ##  ## ## ## ## ## ## ## ##  |ows OEM Devices |
########  ## ## ## ## ## ## ##  ## ## ## ## ## ## ## ##  |PK0.."0...*.H...|

 

Approach 2

  • Shutdown the VM.
  • Add parameter to VM advance settings following Configure Virtual Machine Advanced File Parameters
    uefi.allowAuthBypass = "TRUE"
  • Force the VM to enter Setup Mode.
    • Edit Settings > VM Options > Boot Options
    • Enable Force EFI Setup
  • Navigate to Enter Setup > Secure Boot Configuration > PK Options > Delete PK
  • If "Windows OEM Devices PK" is detected, the PK's integrity is verified.
  • If "VMware default PK" is detected, the PK's integrity is not verified.
Powered by Wolken Software