Your UEFI-based VMs will be automatically migrated to UEFI-based hosts on Compute Engine. You can optionally specify that UEFI-based VMs use Secure Boot, a feature of Shielded VMs. Shielded VMs provide support for the following additional features:
- Virtual Trusted Platform Module (vTPM)
- integrity monitoring
You migrate using runbooks, migrating VMs in waves. In your runbook, you specify whether the migrated UEFI-based VM should use Secure Boot when it is booted on Compute Engine.
- The source VM must use a supported operating system. For a list of operating systems supported for migration from UEFI to Shielded VMs, see Supported operating systems.
Support for migrating to UEFI-based VMs is limited in the following ways:
- Custom certificates (such as when the kernel is manually signed) aren't supported. Your source VM must be signed by an authority supported by Google Cloud. If the VM is not signed by a supported CA, boot may fail. If this happens, check the log for a security violation.
- Migrate for Compute Engine doesn't support migrating instances from AWS with UEFI boot configured.
How UEFI-based VM migration works
- When beginning migration, Migrate for Compute Engine identifies whether the source VM is UEFI- or BIOS-based. If the VM is using UEFI, it will be migrated to a Compute Engine VM that uses UEFI.
- If Secure Boot was specified in the runbook, Migrate for Compute Engine will enable Compute Engine will enable Secure Boot on the migrated VM.
- Compute Engine will boot the migrated VM.
- After detaching, you can optionally enable other Shielded VM features, such as vTPM and integrity monitoring.
Migrating UEFI-based VMs
- Create a runbook that includes the UEFI-based VMs you want to migrate.
- For each UEFI-based VM in your runbook, specify whether the VM should be
booted with Secure Boot. The runbook provides the following fields specific to
UEFI-based VMs. For more runbook fields, see the
Field Required Format Description BootFirmware No.
Included by Migrate for Compute Engine when the runbook is generated. Where this value is
UEFI, you can enable Secure Boot for the migrated VM on Compute Engine by specifying
UEFIfor UEFI-based source VMs and
BIOSfor vSphere BIOS VMs, AWS, and Azure VMs.
FALSE. Default is
TRUEto specify that a UEFI-based source VM should have Secure Boot enabled after it is migrated. Default is
BootFirmwarefield must be set to
UEFIin order for a
TRUEvalue to be accepted.
Migrate in waves.
Note that Secure Boot is not enabled during migration streaming. For VMs marked in the runbook to have Secure Boot enabled, Migrate for Compute Engine will enable Secure Boot after detach.
After detaching, optionally enable additional Shielded VM features.