WilliamLam.com

  • About
    • About
    • Privacy
  • VMware Cloud
  • Tanzu
    • Application Modernization
    • Tanzu services
    • Tanzu Community Edition
    • Tanzu Kubernetes Grid
    • vSphere with Tanzu
  • Home Lab
  • Nested Virtualization
  • Apple
You are here: Home / Automation / Using ESXi Kickstart %firstboot with Secure Boot

Using ESXi Kickstart %firstboot with Secure Boot

06.26.2018 by William Lam // 6 Comments

If you install ESXi via a Kickstart script and make use of the %firstboot option to execute commands on the first boot of the ESXi host after installation, you should be aware of its incompatibility with the Secure Boot feature. If you install ESXi where Secure Boot is enabled, the Kickstart will install ESXi normally only execute up to the %post section. However, it will not execute the %firstboot scripts and if you look at the /var/log/kickstart.log after the host boots, you should see the following message:

INFO UEFI Secure Boot Enabled, skipping execution of /var/lib/vmware/firstboot/001.firstboot_001

If you have Secure Boot enabled, %firstboot is not supported. The reason for this is Secure Boot mandates only known tardisks which can hold executable scripts, and a kickstart script is an unknown source so it can not run when Secure Boot is enabled. If you wish to continue using %firstboot scripts, the only option is to disable Secure Boot and then re-enable it after the installation. A preferred alternative is to convert your %firstboot logic into an external script which can then be applied using the vSphere API (recommended method) and this way you can still customize your ESXi host after the initial installations. I have already filed an internal documentation bug to add a note regarding Secure Boot and %firstboot, hopefully that will roll out with the net documentation refresh.

More from my site

  • Tip from Engineering - Use UEFI firmware for Windows 10 & Server 2016
  • UEFI PXE boot is possible in ESXi 6.0
  • Automated ESXi Installation with a USB Network Adapter using Kickstart
  • Quick Tip - Automating ESXi local user passwords using SHA512 encrypted hashes
  • Nested ESXi installation using HTTPS boot over VirtualEFI in vSphere 8

Categories // Automation, ESXi, Security, vSphere 6.5, vSphere 6.7 Tags // %firstboot, kickstart, Secure Boot, UEFI

Comments

  1. Paul says

    06/26/2018 at 12:31 pm

    Thankyou,

    Not a bug but secure boot also disables running code from /etc/RC.local.d/local.sh which is what I'm using to load persistent firewall rules.

    Any ideas how to achieve this in the a secure boot world?

    Thankyou

    Reply
    • William Lam says

      06/26/2018 at 1:05 pm

      I don't have a solution, but out of curiosity, what firewall rules are you having to create to create by hand?

      Reply
    • Martin Gavanda says

      07/09/2018 at 2:55 am

      Just covert your FW rules into the vib and slipstream them into the esxi profile or adjust your update manager baselines.

      Did the same in the past but keeping the rules consistent was pain in the ass.

      In my case custom FW rules ware used for VNC connection to the VMs (custom self service portal and guacamole as a VNC proxy)

      Reply
  2. Leslie says

    08/01/2018 at 10:16 pm

    Do you know how to disable secure boot. My VM setting already uses BIOS, not EFI boot. But seems like /etc/rc.local.d/local.sh still not invoked. Also when I got in shell and ran SecureBootCheck, it shows 'Disable'. Very weird behavior.

    Reply
  3. Vijay Bhatt says

    12/03/2018 at 10:18 pm

    Thanks for this blog throwing light on the work-around.
    Do we have example/sample/insights around how to go around this:

    "A preferred alternative is to convert your %firstboot logic into an external script which can then be applied using the vSphere API (recommended method) and this way you can still customize your ESXi host after the initial installations."

    Background: We need configure Esxi host DNS/Network settings after initial installation which is currently in %firstboot section.

    Thanks,
    Vj

    Reply
    • Suham Roy says

      11/03/2021 at 9:53 pm

      I know it has been very long but still curious to know if you could find a solution for it?

      Reply

Thanks for the comment! Cancel reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Search

Author

William Lam is a Senior Staff Solution Architect working in the VMware Cloud team within the Cloud Infrastructure Business Group (CIBG) at VMware. He focuses on Cloud Native technologies, Automation, Integration and Operation for the VMware Cloud based Software Defined Datacenters (SDDC)

Connect

  • Email
  • GitHub
  • LinkedIn
  • RSS
  • Twitter
  • Vimeo

Recent

  • Changing the default HTTP(s) Reverse Proxy Ports on ESXi 8.0 03/22/2023
  • Quick Tip - How to download ESXi ISO image for all releases including patch updates? 03/15/2023
  • SSD with multiple NVMe namespaces for VMware Homelab 03/14/2023
  • Is my vSphere Cluster managed by vSphere Lifecycle Manager (vLCM) as a Desired Image or Baseline? 03/10/2023
  • Interesting VMware Homelab Kits for 2023 03/08/2023

Advertisment

Privacy & Cookies: This site uses cookies. By continuing to use this website, you agree to their use.
To find out more, including how to control cookies, see here: Cookie Policy

Copyright WilliamLam.com © 2023