The Secure Boot configuration is stored in NVRAM. If the NVRAM contains no Secure Boot configuration (a freshly deployed VM, or a VM for which the .nvram file has been deleted from the datastore), the Secure Boot configuration will be reset to the defaults described in the UEFI Specification (the variables named PKDefault, KEKDefault, dbDefault and dbxDefault). You can use advanced VM config options to control those defaults, through which you can pre-populate the Secure Boot configuration before the VM is first powered on.
If you want to deploy the certificates as part of the VM's configuration, copy the DER-encoded certificate into the VM's directory and add the following advanced VM config options:
uefi.secureBoot.dbDefault.file0 = "custom-cert.der"
where "custom-cert.der" is the name of the DER-encoded certificate file within the VM's directory. You can repeat that for file1, file2, file3, etc., to add multiple certificates.
If you want to pre-configure SHA-256 hashes into the Secure Boot approved database (db) or revoked database (dbx), put a hexadecimal representation of the file's Authenticode hash (note: this is not the regular SHA-256 sum over the whole file) into an advanced VM config option like this:
uefi.secureBoot.dbDefault.value0 = "01ba4719c80b6fe911b091a7c05124b64eeece964e09c058ef8f9805daca546b"
If you want to replace the default certs so that only your custom certs, also add:
uefi.secureBoot.dbDefault.append = "FALSE"
which will remove the default certs before starting to add your custom certs. By default, your custom certificates will be appended to the default set of custom certificates.
By default, the virtual machine's configuration cannot be modified from within the virtual machine. If you use the technique described above to install your own Platform Key into the PK variable or to provision your own certificate into the Key Exchange Key database in the KEK variable, you can modify Secure Boot configuration from within the virtual machine by using the corresponding private keys, as described in the UEFI Specification. Discussion of how to prepare and correctly authenticate a modification to the virtual machine's Secure Boot configuration is beyond the scope of this document.
If you wish to manually modify a virtual machine's Secure Boot configuration, you can enable the use of the firmware's user interface for managing Secure Boot configuration using the following advanced VM config option:
uefi.allowAuthBypass = "TRUE"
Power on the virtual machine to its firmware user interface. You can achieve this by pressing the "Esc" key at the virtual machine's console while the "VMware" logo is displayed -- Set bios.bootDelay = "10000" if you need more time to do that. Or, just set bios.forceSetupOnce = "TRUE" to force the firmware's user interface to appear on the next boot.
At the firmware user interface, choose Enter setup, then a Secure Boot Configuration menu will be present to allow for manipulation of the Secure Boot configuration.
For reasons of platform integrity, the Secure Boot configuration menu will only be available if the uefi.allowAuthBypass option is set and when the virtual machine has not made any attempt to boot an operating system since it was powered on.