Note: This process should work for Windows and Linux as well.  Verify the EFI boot path for the OS.

Through ESXi 6.0 I have run my hosts in Legacy BIOS mode on UCS.  There just was nothing significant enough worth the hassle of switching to UEFI on UCS (rather: I had more important fires to put out…).  The one feature I did want, Secure Boot, wasn’t supported by ESXi 6.0 and earlier.

vSphere 6.5 introduced support for Secure Boot.   Mike Foley has a great blog post about Secure Boot in ESXi 6.5.  If you are starting your 6.5 upgrade and are using Legacy mode, consider switching to UEFI.  It’s minimal effort and increases the security of your hypervisor.

Since I was working on rolling out a new UCS environment with ESXi 6.5 in a remote office environment, this felt like a great time to switch to UEFI and get the benefits of Secure Boot.  This is not complicated on UCS, but there is a new Boot Policy that must be created.  This policy can be reused for Windows (and other OS).

Creating a new UEFI Boot Policy

Environment

For this environment I was using a Cisco UCS Mini running in FC Switch mode.  I had a number of B200 M5 blades with the VIC 1340 and a storage array attached to the mini FI-IO modules.

You will require UCS version 2.2(4) or later to have the applicable options.

Note: As mentioned, these steps are for SAN booting.  You will need to modify for local booting.

Creating a UEFI Boot Policy

1. Create a new Boot Policy wherever appropriate in your UCS Manager organization.
2. Give your Boot Policy a name and description.
3. Enable the “Enforce vNIC/vHBA/iSCSI Name” option, assuming you are using consistent naming for your boot devices.
4. Set the “Boot Mode” to “UEFI” and enable “Boot Security”.

5. Under the vHBA section select “Add SAN Boot”.
6. Select Primary and enter the vHBA name for your A-side fabric (for example: vHBA-A)

7. Under vHBA add another SAN Boot device.
   Secondary will be selected, so enter your B fabric HBA name (i.e.: vHBA-B)
8. Now create the targets for your Primary Controller (fabric A).
   1. Select the “Add SAN Boot Target” option and then select your Primary Controller.
   2. Enter the LUN ID for where ESXi will be installed to (generally LUN 0 or LUN 1).
   3. Enter the first WWPN for your storage array that is accessible on fabric A.
   4. Add another SAN Boot Target to your Primary Controller.  Add the same LUN ID and second WWPN for your storage array.
9. Repeat Step #8 for your Secondary Controller using the fabric B WWPNs of your array.
   When done, it should look like the image below.

10. Now for your SAN Primary controller select SAN Target Primary.  The “Set Uefi Boot Parameters” option will appear.
11. Insert the settings below to configure the UEFI parameters:
    1. Boot Loader Name: BOOTX64.EFI
    2. Boot Loader Path: \EFI\BOOT\
    3. Boot Loader Description: UEFI Image on SAN (Or whatever you would like)

12. Repeat step #11 for each of your boot targets.
13. Now apply this boot policy to your Service Profile/Service Profile Template.
14. Install ESXi as you would normally and then reboot.

If you boot successfully then you’re in great shape.  If this is a new domain with nothing else running you may want to consider testing booting by shutting off paths to storage.  This is just to verify your UEFI boot parameters will work when or if your first HBA goes down.

If you do not boot successfully you will likely be dropped to the UEFI shell.  This indicates that one of the following likely happened:

• The UEFI updated policy has not been used in the Service Profile.
• One of the UEFI parameters was incorrectly entered from above.

More Information

Troubleshooting from the UEFI shell

If you’re dumped to the UEFI shell instead of getting a booted OS quick way to find out is through the UEFI shell.  At the shell you can enter the command bcfg boot dump.  This will let you know if there’s any other boot loaders configured with this UEFI system.  If you only see the UEFI Loader then likely UCS Manager didn’t insert the proper parameters, or your UEFI image isn’t present.

Assuming no other boot managers on ahead of your boot LUN (which should always be 0 or 1 to ensure it’s first), you should verify your boot loader is present on fs0.

Switch to FS0 by entering fs0: at the UEFI shell.  You can then use dir to list the contents of that file system.  If you see the contents below, which are part of the ESXi boot loader system, you have confirmed the boot drive is available in UEFI.  At this point verify you have entered your UEFI parameters properly and try again.

Additional Resources

• If you’re curious about the ESXi boot drive partition setup check out Andrea Mauro’s blog post about ESXi 6.0 partitions.
• The Wikipedia entry on UEFI provides an extensive background on UEFI, including Secure Boot.
• Cisco bug report on ESXi using UEFI boot parameters
• VMware doc on ESXi and UEFI Boot Parameters