Uncategorized

iPXE-Boot-Server: Setup iPXE to support both BIOS and UEFI

Step by step guide for how to build your own PXE boot server supporting both legacy BIOS and EFI hardare

Build your own PXE boot server

This article is a step by step guide for building your own PXE boot infrastructure which can be used to boot both legacy BIOS and EFI based hardware from network. There are many articles on the Internet for building PXE boot infrastructure however I found most of them does not work for EFI based hardware. I use iPXE as the boot image and dnsmasq as DHCP & TFTP server and I found it’s dead simple to setup those two software.

https://github.com/boliu83/ipxe-boot-server

client_boot1.gif

 

 

Standard
Uncategorized

VMWare: Enable or Disable UEFI Secure Boot for a Virtual Machine

I believe this is a new (or revised) document [to me].

[…]VMware Tools version 10.1 or later is required for virtual machines that use UEFI secure boot. You can upgrade those virtual machines to a later version of VMware Tools when it becomes available.

For Linux virtual machines, VMware Host-Guest Filesystem is not supported in secure boot mode. Remove VMware Host-Guest Filesystem from VMware Tools before you enable secure boot.[…]

https://docs.vmware.com/en/VMware-vSphere/6.5/com.vmware.vsphere.security.doc/GUID-898217D4-689D-4EB5-866C-888353FE241C.html

 

Standard
Uncategorized

VMWare and Microsoft Virtualization Based Security (VBS)

Introducing support for Virtualization Based Security and Credential Guard in vSphere 6.7
Mike Foley

Microsoft virtualization-based security, also known as “VBS”, is a feature of the Windows 10 and Windows Server 2016 operating systems. It uses hardware and software virtualization to enhance Windows system security by creating an isolated, hypervisor-restricted, specialized subsystem. Starting with vSphere 6.7, you can now enable Microsoft (VBS) on supported Windows guest operating systems. You may or may not be familiar with these new Windows features. Based on conversations I have with security teams, you might want to become familiar! What you will hear first and foremost is the requirement for “Credential Guard” which is why I added that to the title. In order to level set the conversation in this blog I will go over the features as they related to a bare metal installation of Windows and then a Windows VM on ESXi.[…]

https://blogs.vmware.com/vsphere/2018/05/introducing-support-virtualization-based-security-credential-guard-vsphere-6-7.html

Standard
Uncategorized

Identifying ESXi boot method & boot device

Identifying ESXi boot method & boot device
Posted on 01/09/2018 by William Lam

There was an interesting discussion on our internal Socialcast platform last week on figuring out how an ESXi host is booted up whether it is from local device like a disk or USB device, Auto Deploy or even boot from SAN along with its respective boot device? Although I had answered the question, I was not confident that we actually had a reliable and programmatic method for identifying all the different ESXi boot methods, which of course piqued my interest. With a bit of trial and error in the lab, I believe I have found a method in which we can identify the ESXi boot type (Local, Stateless, Stateless Caching, Stateful or Boot from SAN) along with some additional details pertaining to the boot device. To demonstrate this, I have created the following PowerCLI script ESXiBootDevice.ps1 which contains a function called Get-ESXiBootDevice.[…]

https://www.virtuallyghetto.com/2018/01/identifying-esxi-boot-method-boot-device.html

https://github.com/lamw/vghetto-scripts/blob/master/powershell/ESXiBootDevice.ps1

Standard
Uncategorized

VMWare Workstation 14 available

[…]Workstation 14 Pro builds from the newest vSphere Virtual Hardware Platform, now at version 14, and with it delivers new features such as support for:
– Microsoft Device Guard and Credential Guard “Virtualization Based Security” feature support for Windows 10 Guests (Guests only at this time)
– A new Virtual NVMe device for faster disk access on SSD storage and a requirement for vSAN testing
– UEFI Secure Boot, required for VBS and supported with ESXi 6.5 Virtual Guests.
– A new Virtual Trusted Platform Module which is used to manage keys for guest encryption services such as BitLocker.
– Support for the latest Intel Kabylake and AMD Ryzen CPUs

https://blogs.vmware.com/workstation/2017/09/workstation-14-now-available.html

 

Standard
Uncategorized

Hagfish: UEFI Bootloader for Barrelfish

Barrelfish is a new research operating system being built from scratch and released by ETH Zurich in Switzerland, originally in collaboration with Microsoft Research and now partly supported by HP Enterprise Labs, Huawei, Cisco, Oracle, and VMware. […]

Hagfish is the Barrelfish/ARMv8 UEFI loader prototype: Hagfish (it’s a basal chordate i.e. something like the ancestor of all fishes). Hagfish is a second-stage bootloader for Barrelfish on UEFI platforms, most importantly the ARMv8 server platform. […]

http://www.barrelfish.org/

https://github.com/BarrelfishOS/hagfish

https://github.com/BarrelfishOS/uefi-sdk

Standard
Uncategorized

Secure Boot for VMWare

Secure Boot for ESXi 6.5 – Hypervisor Assurance
Mike Foley
I’ve talked about how vSphere has been moving towards a “secure by default” stance over the past few years. This can clearly be seen in the new vSphere 6.5 Security Configuration Guide where the number of  “hardening” steps are growing smaller with every release. In this blog post we will go over another “secure by default” feature of vSphere 6.5 that provides hypervisor assurance, Secure Boot for ESXi. One of the coolest things in 6.5,  in my opinion, is the adoption of Secure Boot for ESXi. Now, you might say “But my laptop has had Secure Boot  since Windows 8, what’s the big deal?” Well, the “big deal” is that we’ve gone beyond the default behavior of Secure Boot and we now leverage the capabilities of the UEFI firmware to ensure that ESXi not only boots with a signed bootloader validated by the host firmware but that it also ensures that unsigned code won’t run on the hypervisor. Best of all, it’s simple to implement! Let’s dive in![…]

https://blogs.vmware.com/vsphere/2017/05/secure-boot-esxi-6-5-hypervisor-assurance.html

 

Standard