This blog post is written by Shiva Katta & Krishnaprasad K

Intel TXT (Trusted Execution Technology) is a hardware security solution that protects IT infrastructures against software based attacks by validating the behavior of key components with in a server during startup. For VMware ESXi, each time it boots, it measures the vmkernel and subset of modules (VIBs) and stores the measurements into the Platform Configuration Register (PCR) 20 of the TPM (Trusted Platform Module). In a net-shell, if Intel TXT is enabled, VMware ESXi is booted in secure mode and ensures integrity of vmkernel & other components. Intel TXT support for VMware ESXi starts from VMware ESXi 4.1 Update1 onwards. This feature is not supported for VMware ESX classic edition.

Pre-requisites for trusted boot enablement in VMware ESXi

  • Processor silicon with trusted extensions integrated (Intel Xeon processor series 5600 onwards)
  • TPM 1.2 with TXT provisioning done (All Dell PowerEdge 11th & 12th Generation servers (Intel based) supports Intel TXT)
  • Intel TXT enabled for BIOS and hypervisor.
    • NOTE: Refer VMware HCL for Dell supported platforms with Intel TXT and VMware ESXi.

 Behavioral difference of trusted boot between VMware ESXi 4.x & 5.x

  • For VMware ESXi 4.x, TXT is disabled by default and need to be enabled manually.
  • For VMware ESXi 5.0, TXT is enabled by default and doesn’t require any manual settings from VMware ESXi perspective.
  • There is a change in behavior for trusted boot with respect to VMware ESXi versions, if the server fails to meet pre-requisites for VMware ESXi trusted boot.
    • For VMware ESXi 5.x, if pre-requisites are not met, the kernel doesn’t boot in a measured environment. It automatically falls back into the normal mode and continue booting.
    • For VMware ESXi 4.x, if pre-requisites are not met and TXT is enabled from VMware ESXi manually, the bootup fails and system goes for a reset continuously. This behavior is changed in 4.1 Update2 and exhibits behavior similar to ESXi 5.0.

Enabling trusted boot in VMware ESXi

Generally, enabling TXT is a two-step process. Enable TXT under Security Settings of Dell PowerEdge Servers bios (mandatory) & enable TXT in VMware ESXi (mandatory for VMware ESXi 4.x)

  • Enable TPM & TXT option in BIOS of Dell PowerEdge 11th Generation/12th Generation Intel based Servers.
  • For VMware ESXi 4.x
    • Install VMware ESXi 4.1 Update1 (or later) on a system with the above pre-requisites met.
    • On Successful VMware ESXi boot, enable trusted boot by executing below command from the tech support mode and reboot ESXi host. 
             ~# esxcfg-advcfg –k 1 /Misc/enableTboot
             Reboot the host once the above setting is done. 
  • For VMware ESXi5.x
    • If all the above mentioned pre-requisites are met, then VMware ESXi 5.x will do a trusted boot automatically.

Verifying trusted boot

  • For VMware ESXi 4.x
    • If tboot.gz is listed as kernel in /bootbank/boot.cfg, then the trusted boot is successful.
    • Check the value of enabletboot advanced setting variable using the command esxcfg-advcfg –g /Misc/enabletboot. If the command returns ‘1’, then the current boot is in trusted mode.
  • For VMware ESXi 5
    • If the command bootOption –o returns vmbTbootEnabled=True as a boot time option, then the current boot is in trusted mode. This value will set to false if the boot mode is not trusted.

Refer VMware KB for Support of Trusted Execution Technology (TXT) on ESXi 4.1 and ESXi 5.0.