VMWare 8 Update 3j - Automated Secure Boot Cert Remediation Added
Posted by MrYiff@reddit | sysadmin | View on Reddit | 14 comments
It looks like VMWare have started releasing their automated process for updating the Secure Boot Certs with this release:
https://techdocs.broadcom.com/us/en/vmware-cis/vsphere/vsphere/8-0/release-notes/esxi-update-and-patch-release-notes/vsphere-esxi-80u3j-release-notes.html
The KB pages for the Secure Boot Certs have also been updated:
https://knowledge.broadcom.com/external/article/423893/secure-boot-certificate-expirations-and.html
https://knowledge.broadcom.com/external/article/423893#:~:text=bytes.Length%0A%2045-,SilentPK%20update,-for%20vTPM%20disabled
It looks like currently the automated process only works for VM's that do not have a vTPM attached (they provide some powershell code to check this for all VM's in one of the above links). According to the updated articles they will be adding support for handling vTPM's too at some point
Currently it looks like ESXi 9 is still a manual process but I assume this will get the automated version eventually.
trail-g62Bim@reddit
Does anyone know how to make the new update show up in vcenter? Usually I'm at least a few days late but given the cert stuff, I want to go ahead and load it on my test hosts now. But I don't know how to force it to check and offer it has an esxi image.
trail-g62Bim@reddit
Thank god. Was just trying to figure out how I was going to coordinate all of this.
MrYiff@reddit (OP)
double check you aren't using vTPM's before you get too excited though :)
trail-g62Bim@reddit
Thanks for the reminder, but I checked last week when I was planning to do this manually. I should double check though.
hidepp@reddit
And the update isn’t available for customers who bought a PERPETUAL license but the support contract expired after they increased literally 1000% the price for renewal.
I wonder how many people around still hadn’t got rid of their vSphere clusters and have this mess to clean.
Darkk_Knight@reddit
Vmware still around?
hidepp@reddit
Yup. I still have to deal with this :(
Critical_Physics_770@reddit
thanks for consolidating the KB links. Anyone know if the silent PK update requires a host reboot or is it applied live? That detail seems buried in the docs.
MrYiff@reddit (OP)
The release notes for Update 3j confirm a host reboot is needed (pretty much guaranteed for anything more than a vmware tools update):
https://techdocs.broadcom.com/us/en/vmware-cis/vsphere/vsphere/8-0/release-notes/esxi-update-and-patch-release-notes/vsphere-esxi-80u3j-release-notes.html#build-details
MrYiff@reddit (OP)
Since you need to install Update 3j this part will need a host reboot since it updates core components. To then fix each VM this just needs a guest reboot so the boot files can be updated.
Yupyupyup79@reddit
Not automated yet if you use vTPMs
MrYiff@reddit (OP)
Yep, I noted this in my post too but at least this will probably automate the fix for a good number of people as vTPM's aren't something added automatically when creating a VM.
At least there is some progress from VMWare on this finally.
Yupyupyup79@reddit
Sorry, i should have read the entire post.
MrYiff@reddit (OP)
don't worry about it, it's a pretty big caveat so there is certainly no harm in repeating it :)