AHV, AOS, English, Technology

New Feature: Secure Boot for VM’s in AOS 5.16

With the release of AOS 5.16 a couple of new security features are introduced. One of the features is secure boot. Secure boot is designed to protect a system against malicious code being loaded and executed early in the boot process, before the operating system has been loaded.


AHV uses TianoCore UEFI. This is an open source implementation of UEFI. In June of 2004, Intel announced that it would release the “Foundation Code” of its Extensible Firmware Interface (EFI), a successor to the 16-bit x86 “legacy” PC BIOS, under an open source license. This Foundation Code, developed by Intel as part of a project code named Tiano, was Intel’s “preferred implementation” of EFI. This evolved into EDK, EDK II, and other open source projects under the TianoCore community.

The EFI Specifications were contributed to the United EFI Forum as part of the original UEFI Specifications, which has been adopted by over 200 companies and shipped on millions of compute devices. TianoCore is designed to implement the UEFI and UEFI PI specifications.
Source: TianoCore.org

How to create a Secure Boot VM

For secure Boot to work UEFI and machine type Q35 must be configured. When these 2 settings are set, secure boot can be enabled/disabled with the vm.update command in the Acropolis CLI. UEFI does not support legacy bus types. IDE devices must be changed to SATA or removed from the VM. Currently secure boot is only supported with AHV. Keep in mind that the guest operating system must support secure boot. Here you can find a list of supported OS’s by Nutanix secure boot.

VM creation in Prism:

  1. Go to Prism Element and login
  2. Open de VM dashboard and click “Create VM”
  3. Fill in the VM details such as Name, vCPU, Mem, Cores, etc
  4. Enable UEFI BIOS

With UEFI BIOS enabled, IDE devices are not supported anymore. The VM creation wizard automatically adds a CD-ROM with bus type IDE. Change this to SATA.

  1. Click on the edit pencil on the CD-ROM device
  2. Change IDE to SATA and click OK
  3. Attach an ISO file to the CD-ROM
  4. Add an empty disk to the VM
  5. Add a new nic in the Network Adapters section
  6. Click save
  7. Open Putty and make a connection to one of the CVM’s
  8. Login with Nutanix and the corresponding password
  9. Type in: acli
  10. Type in: vm.update <vm name> secure_boot=true machine_type=q35

The VM is now updated to secure boot and the correct machine type.

  1. Power on the VM in Prism
  2. Start the installation of the VM

Keep in mind that when you want to install Windows Server in the VM, you also need to attach the VirtIO drivers to the VM. The VirtIO drivers ISO file can be downloaded from the Nutanix portal at http://portal.nutanix.com.

Attach VirtIO drivers:

  1. Select the VM in Prism Element
  2. Power down the VM
  3. Click on Update
  4. Go to disks section in the VM screen
  5. Add an extra SATA CD-ROM
  6. Attach the latest VirtIO drivers ISO

See below screenshot for the disks setup. VirtIO driver ISO is attached to sata.1

It is also possible to create a VM from scratch using the Acropolis CLI.

VM creation in Acropolis CLI:

  1. Go to one of the CVM’s and login with nutanix and related password
  2. Type: acli
  3. Type: vm.create <vm name> uefi_boot=true secure_boot=true machine_type=q35
  4. Go to Prism Element and login
  5. Select the just created VM and click Update
  6. Change the VM details such as vCPU, cores, memory, time zone, etc
  7. Add a SATA CD-ROM in the disks section
  8. Add an empty disk to the VM
  9. Add a new nic in the Network Adapters section
  10. Click Save
  11. Power on the VM in Prism
  12. Start the installation of the VM

One advantage of using the CLI instead of the Prism GUI is the possibility to define the location of storage container for UEFI firmware and variables. This is not possible with the GUI at the moment.

The command line for this is:
vm.create <vm name> uefi_boot=true secure_boot=true machine_type=q35 nvram_container=<NutanixManagementShare>

Replace <vm name> with the desired name for the virtual machine and replace <NutanixManagementShare> with a Nutanix storage container in which you want to store the UEFI variables.


Following the steps above you protect the VM’s with a secure BIOS and prevent malicious code from injecting code before a virus scanner or other protection is active on the VM.