UEFI secure boot is a feature described by the UEFI specification (2.3.1c) which is available from the UEFI Forum Site. Secure Boot uses a database of digital signatures to validate the integrity of firmware, the operating system, or UEFI drivers. These digital signatures must be generated using a special signing certificate from a specific Certificate Authority. When an executable like a boot loader or Option ROM is discovered, the UEFI checks if: – The executable is signed with an authorized key, or – The key, signature, or hash of the executable is stored in the authorized signature database. If the firmware doesn’t match a digital signature, the computer won’t boot until signed firmware is restored.
From ESXi 6.5, VMWare introduced support for UEFI secureboot. Dell's 13th generation of PowerEdge servers supports UEFI secureboot.
Refer to the white paper located at Dell tech center which provides some useful information for users who plan to use UEFI secureboot on Dell PowerEdge servers with VMware ESXi installed. It talks about a high level flow of UEFI secureboot in VMware ESXi followed by the settings required in the system firmware to enable it. This paper covers some of the utilities in ESXi to check status of secureboot and the acceptance levels in ESXi. This also talks about some of the troubleshooting options which can be useful when users come across some of the known error codes.