“SECUREBOOT: Image DENIED.” – Linux VMs created with Hardware version 20 will fail to start installation when Secure Boot is enabled (88737)

“SECUREBOOT: Image DENIED.” – Virtual Machine with Windows Server 2022 KB5022842 (OS Build 20348.1547) configured with secure boot enabled not booting up (90947)
Reference “SECUREBOOT: Image DENIED.” for Windows Server 2022
How ESXi Uses UEFI Secure Boot

Important 88737 Symptoms

The installation of the Operating System image will be denied and “SECUREBOOT: Image DENIED.” will be reported in vmware.log.

Below goes the list of the impacted Linux Operating Systems.

  • RHEL 8.0~8.4, 7.x 
  • CentOS 8.0~8.5, 7.x
  • Oracle Linux 8.0~8.3, 7.x
  • AlmaLinux 8.4    
  • Rocky Linux 8.4    
  • Photon OS 4.0GA, 3.0 GA & Rev 2 & Rev 3, 2.0    
  • Ubuntu LTS 20.04~20.04.4, 18.04~18.04.5 and earlier
  • Ubuntu Non-LTS 21.04, 20.10, 19.10, 19.04, 18.10 and earlier     
  • Debian 10.9 and earlier     
  • SLE 12SP0~SP5, 15SP0-SP2

Cause

This is caused due to the Secure Boot deny list (dbx) is updated to prevent vulnerable bootloaders from being used. For more information, refer to VMware response to GRUB2 security vulnerability CVE-2020-10713 (80181)

Resolution

  1. Create the SecureBoot Virtual Machine with Hardware version 19 (or earlier).
  2. After the installation is completed, update the vulnerable bootloader of the VM to a newer and fixed version, refer to VMware response to GRUB2 security vulnerability CVE-2020-10713 (80181)
  3. Upgrade the Virtual Machine’s Hardware version to 20.

Workaround

Create the Virtual Machine with Secureboot disabled instead.

Author: Daniel Micanek

Senior Service Architect, SAP Platform Services Team at Tietoevry | SUSE SCA | vExpert ⭐⭐⭐⭐⭐ | vExpert NSX | VCIX-DCV/NV | VCAP-DCV/NV Design+Deploy | VCP-DCV/NV/CMA/TKO/DTM | NCIE-DP | OCP | Azure Solutions Architect | Certified Kubernetes Administrator (CKA)