IBM Cloud Docs
Secure boot with Trusted Platform Module (TPM) for bare metal servers

Secure boot with Trusted Platform Module (TPM) for bare metal servers

Secure boot makes sure that your server starts with trusted software by verifying the signatures for all code in the boot process. So, your images need to support secure boot with a signed boot loader. Trusted Platform Module (TPM) provides hardware-based security functions. With supporting software, TPM helps maintain platform integrity and generates cryptographic keys. Generally, TPM is used with secure boot.

Servers that you provisioned before 31 January 2023 aren't supported.

Supported images for secure boot

The following images are available when you provision a server with secure boot. Keep in mind that these features are available on only the x86-64 architecture.

Table 1. Supported operating systems for secure boot
Image Architecture
Red Hat Enterprise Linux 8 x86-64
Red Hat Enterprise Linux 8.4 for SAP x86-64
Red Hat Enterprise Linux 8.4 for SAP HANA x86-64
SUSE Linux Enterprise server (SLES) 15 SP3 x86-64
SUSE Linux Enterprise server (SLES) 15 SP4 x86-64
Ubuntu 18.04, 20.04, 22.04 x86-64
VMWare ESXi 7 x86-64
Windows 2016, 2019, 2022 x86-64

Limitations

Consider the following limitations before you enable secure boot and TPM.

  • Servers that you provisioned before this feature was released aren't supported.
  • Secure boot requires a signed OS. If you enable secure boot without a signed OS, the server can't boot.
  • Secure boot and TPM are available on only x86 servers.
  • ESXi images require secure boot to use TPM.

Enable secure boot with TPM

When you create or update a server, you can specify whether you want to enable secure boot. You can find the secure boot and TPM selections in the Advanced options on the provisioning page.

To use secure boot or TPM on an existing supported server, you can enable them from the server details page.

To enable secure boot or TPM, the server needs to be powered off.

Keys that are stored in BIOS firmware

The following keys are stored in the BIOS firmware that you can use to sign a custom image. For more information about custom images, see Getting started with custom images.

  • Microsoft Corporation UEFI CA 2011
  • Microsoft Windows Production PCA 2011
  • SUPERMICRO Product CA 2018