Secure Boot is specifically designed to prevent a malicious boot loader attack and has been the most widely accepted approach for both Windows and Linux. Secure Boot is supported by major hardware and hypervisor vendors.
Windows introduced a new specification called Unified Extensible Firmware Interface (UEFI) that connects the computer’s firmware to its operating system (OS). UEFI is now part of an open-source forum UEFI and is expected to eventually replace BIOS.
In order for Nutanix to fully support secure boot, Nutanix binaries are now signed with keys that the hardware trusts.
The Nutanix public keys will either be available by default in the hardware or a customer would need to manually obtain Nutanix Public Keys and import them into the hardware UEFI administration interface. With Nutanix public keys made available in the hardware, UEFI will allow Nutanix binaries to boot securely.
The NCC check returns a PASS if the following is true:
-
All Hosts is running with Secure Boot Enabled
The NCC check returns an INFO if the following is true:
-
Certain Host does not have Secure Boot Enabled and Secure Boot is enabled on hosts
This check was introduced in NCC version 3.9.3. The check is scheduled to run at an interval of 24 hours.
To take a look at how to run this ncc check and what are the expected outputs, give a read to KB-8193