This content has been machine translated dynamically.
Dieser Inhalt ist eine maschinelle Übersetzung, die dynamisch erstellt wurde. (Haftungsausschluss)
Cet article a été traduit automatiquement de manière dynamique. (Clause de non responsabilité)
Este artículo lo ha traducido una máquina de forma dinámica. (Aviso legal)
此内容已经过机器动态翻译。 放弃
このコンテンツは動的に機械翻訳されています。免責事項
이 콘텐츠는 동적으로 기계 번역되었습니다. 책임 부인
Este texto foi traduzido automaticamente. (Aviso legal)
Questo contenuto è stato tradotto dinamicamente con traduzione automatica.(Esclusione di responsabilità))
This article has been machine translated.
Dieser Artikel wurde maschinell übersetzt. (Haftungsausschluss)
Ce article a été traduit automatiquement. (Clause de non responsabilité)
Este artículo ha sido traducido automáticamente. (Aviso legal)
この記事は機械翻訳されています.免責事項
이 기사는 기계 번역되었습니다.책임 부인
Este artigo foi traduzido automaticamente.(Aviso legal)
这篇文章已经过机器翻译.放弃
Questo articolo è stato tradotto automaticamente.(Esclusione di responsabilità))
Translation failed!
Secure Boot for XenServer 9
Secure Boot helps prevent untrusted code from running during host boot and runtime by enforcing a verified chain of trust. XenServer 9 supports installation and operation with Secure Boot enabled in firmware.
Note: Availability includes general availability (GA) and a feature preview flow (for testing) with different certificate requirements.
Benefits
- Enforces signature verification for each boot component.
- Reduces risk of executing untrusted or malicious code.
- Improves overall platform integrity against low‑level attacks.
Support and requirements
Supported scenarios in XenServer 9:
- Host installation from ISO or network
- Boot from SAN
- Normal host runtime
Requirements:
- UEFI firmware is required; hosts do not boot without UEFI.
- Enable Secure Boot in firmware settings.
- Certificate requirements:
- GA: Microsoft UEFI CA 2011 (or 2023, if available on your platform).
- Feature preview: XenServer development certificate.
- All Dom0 kernel modules must be signed.
Notes:
- Host Secure Boot is independent of VM Secure Boot; enabling one does not enable the other.
- Mixed pools (hosts with Secure Boot both enabled and disabled) are supported.
- You can enable Secure Boot after an RPU from XenServer 8.4, during a manual upgrade from XenServer 8.4, or after a fresh XenServer 9 install.
- You can disable Secure Boot at any time in firmware.
- If you restore a host from XenServer 9 back to XenServer 8.4, disable Secure Boot before booting.
- Running memory tests from the boot menu requires Secure Boot to be disabled.
- Some unsupported Xen or Dom0 kernel command‑line options might not work with Secure Boot enabled.
Configure Secure Boot
Configuration steps vary by platform. Refer to your hardware vendor documentation for exact steps. The following example uses a Supermicro server.
GA configuration (Microsoft UEFI CA)
- In firmware setup, go to Security > Secure Boot.
- Set CSM Support to Disabled.
- Set Secure Boot Mode to Standard.
- Set Secure Boot Control to Enabled.
Feature preview configuration (XenServer development certificate)
- In firmware setup, go to Security > Secure Boot.
- Set CSM Support to Disabled.
- Set Secure Boot Mode to Custom.
- Set Secure Boot Control to Enabled.
- Go to Security > Secure Boot > Key Management.
- Set Provision Factory Default Keys to Disabled.
- Add the
XenServer 9 Preview - Secure Boot certificate for firmwarecertificate to Authorized Signatures. This certificate is available on the XenServer 9 downloads page (choose the DER-encoded or ASCII-encoded version depending on your firmware requirement).
Important: Keep the Microsoft UEFI CA 2011 (or 2023) certificate present in firmware to simplify moving from preview to GA.
Share
Share
In this article
This Preview product documentation is Cloud Software Group Confidential.
You agree to hold this documentation confidential pursuant to the terms of your Cloud Software Group Beta/Tech Preview Agreement.
The development, release and timing of any features or functionality described in the Preview documentation remains at our sole discretion and are subject to change without notice or consultation.
The documentation is for informational purposes only and is not a commitment, promise or legal obligation to deliver any material, code or functionality and should not be relied upon in making Cloud Software Group product purchase decisions.
If you do not agree, select I DO NOT AGREE to exit.