Unable to enable Secure Boot in ESXi 6.x
search cancel

Unable to enable Secure Boot in ESXi 6.x

book

Article ID: 319600

calendar_today

Updated On:

Products

VMware vSphere ESXi

Issue/Introduction

Symptoms:
  • Secure boot in ESXi 6.x cannot be enabled after live VIB install.
  • Running the command /usr/lib/vmware/secureboot/bin/secureBoot.py -c fails with the following message:
 Secure boot CANNOT be enabled: Failed to verify signatures of the following vib(s): [esx-base]. All tardisks validated. All acceptance levels validated esx-base 6.5.0-3.120.15256549 VMware VMwareCertified Error: [Failed to verify checksum for payload btldr: Not found].
  • In the esxupdate.log we see similar to
YYYY-MM-DDTHH:MM:SSZ esxupdate: 75720: LiveImageInstaller: ERROR: Failed to verify checksum for payload btldr: Not found
 
Note:The preceding log excerpts are only examples.Date,time and environmental variables may vary depending on your environment.


Environment

VMware vSphere ESXi 6.7
VMware vSphere ESXi 6.5

Cause

  • After a VIB transaction like VIB install, the live environment will temporarily be unable to run secureBoot check due to btldr unmounted and esx-base change when ESXi has been patched or upgraded and before reboot is done.

Resolution

Reboot the ESXi host and then secure boot can be enabled.

Note:If you see the error when secure boot is already enabled, no action is needed since bootbank integrity is unaffected.