XenServer

Secure Boot for XenServer 9

Secure Boot helps prevent untrusted code from running during host boot and runtime by enforcing a verified chain of trust. XenServer 9 supports installation and operation with Secure Boot enabled in firmware.

Benefits

  • Enforces signature verification for each boot component.
  • Reduces risk of executing untrusted or malicious code.
  • Improves overall platform integrity against low‑level attacks.

Support and requirements

Supported scenarios in XenServer 9:

  • Host installation from ISO or network
  • Boot from SAN
  • Normal host runtime

Requirements:

  • UEFI firmware is required; hosts do not boot without UEFI.
  • Enable Secure Boot in firmware settings.
  • Certificate requirements:
    • Microsoft UEFI CA 2011 (or 2023, if available on your platform).
  • All Dom0 kernel modules must be signed.

Notes:

  • Host Secure Boot is independent of VM Secure Boot; enabling one does not enable the other.
  • Mixed pools (hosts with Secure Boot both enabled and disabled) are supported.
  • You can enable Secure Boot after an RPU from XenServer 8.4, during a manual upgrade from XenServer 8.4, or after a fresh XenServer 9 install.
  • You can disable Secure Boot at any time in firmware.
  • If you restore a host from XenServer 9 back to XenServer 8.4, disable Secure Boot before booting.
  • Running memory tests from the boot menu requires Secure Boot to be disabled.
  • Some unsupported Xen or Dom0 kernel command‑line options might not work with Secure Boot enabled.

Configure Secure Boot

Configuration steps vary by platform. Refer to your hardware vendor documentation for exact steps. The following example uses a Supermicro server.

  1. In firmware setup, go to Security > Secure Boot.
  2. Set CSM Support to Disabled.
  3. Set Secure Boot Mode to Standard.
  4. Set Secure Boot Control to Enabled.
Secure Boot for XenServer 9