Saturday, September 15, 2018

Secure Boot and Acceptance Levels of Hosts and VIBs

Acceptance levels of VIB  provide an information on the amount of certification the software package has undergone. There are four levels of acceptance for VIBs:

  • VMwareCertified - most stringent requirements equivalent to VMware in-house Quality Assurance testing. Only I/O Vendor Program (IOVP) program drivers are published at this level.VMware takes support calls for VIBs with this acceptance level
  • VMwareAccepted - partner runs the tests and VMware verifies the result. VMware takes support calls for VIBs with this acceptance level.
  • PartnerSupported - The partner performs all testing. VMware does not verify the results. VMware directs support calls for VIBs with this acceptance level to the partner's support organization.
  • CommunitySupported - is for VIBs created by individuals or companies outside of VMware partner programs. They are not supported by VMware or partners.

Why is this interesting for us? Mostly because of the relationship between secure boot and the acceptance level. Secure boot does not allow to set the acceptance level to CommunitySuported. This makes perfect sens, why would you want to install a VIB that is created by someone outside the trusted partner program. Two answers come to mind: home labs and testing.

With secure boot enabled (which is default for VMs created with UEFI in vSphere 6.5 U1) you will notice the following behavior when trying to set the acceptance level:

In order to be able to set the desired acceptance level, you should disable secure boot. If it's a physical server, then you need to do this in UEFI. For VMs, it can be done at VM level, but still needs a power off and then select the VM and edit settings. On VM Options tab, under Boot Options you will find the setting for Secure Boot.

If you are connecting to vSphere 6.5, use web client since HTML one does not show the option.

No comments: