The hardware chip will be used by ESXi host. Within the hardware, there is the UEFI firmware which validates the bootloader and the VM kernel. In the Kernel, a number of measurements are taken, which are stored in the TPM device.
The boot continues and that information is passed to vCenter. It’s vCenter which queries the ESXi host and queries the TPM device and compares the hashes which have been reported by ESXi against the hashes reported by TPM.
Virtualization Based Security (VBS)
When booting Windows 10 VM on VMware ESXi, it boots via MBR or EFI. There is no credential guard support.
In order to enable VBS, need:
- Hardware virtualization
- EFI Firmware
- Secure boot
ESXi boots a copy of Windows hypervisor, which boots Windows 10 and all the credentials subsystem within a micro VM.
n order to support VBS, every W10 and Windows server 2016 will be nested VM.
vTPM 2.0 module, present in the Virtual Hardware 14 (New), is available. And the data are secured via VM encryption. However, VM encryption still needs an external Key manager (via VMware partner). The VM home files will be encrypted using the key generated by ESXi host.
The solution does not need hardware TPM.
VMs are provided with trusted Virtual hardware, which is presented to the VM by a host. The ESXi host has a root of trust to physical hardware.
The encrypt VM operations are simplified in the UI within vSphere 6.7, it’s all under the same TAB. You can also select which disk you want to encrypt. It possible also to do that with PowerCLI.
VMware Virtual Hardware version 14 (VMX-14)
vSphere 6.7 brings Virtual Hardware 14. But when upgrading, you should not just jump in and start upgrading all your VMs to bring them to the latest Virtual Hardware. The VM compatibility level is like changing a motherboard to a VM. You should only do that for those VMs which needs the features introduced in the latest Virtual Hardware 14.
FIPS 140-2 for vSphere
There is kernel crypto module and Open SSL module have got through FIPS evaluation.
It’s ON by default. If you upgrade or migrate host, it will turn ON TLS 1.2. Only key managers that support TLS 1.2 will be supported. (You can downgrade, however).
- Virtual Machine Locked Alarm
- Host Requires Encryption Module Enabled Alarm
- KMS client and server Certificate Status Alarm
If you see an alarm that VM is locked, it usually means that host is unable to unlock a VM. Usually, this happens when network connectivity with KMS is broken.