Migrating to UEFI-based VMs

Your on-premises, UEFI-based VMs will be automatically migrated to UEFI-based hosts on Compute Engine. You can optionally specify that UEFI-based VMs use Secure Boot, a feature of Shielded VMs. Shielded VMs provide support for the following additional features:

  • Virtual Trusted Platform Module (vTPM)
  • Integrity monitoring

You migrate using runbooks, migrating VMs in waves. In your runbook, you specify whether the migrated UEFI-based VM should use Secure Boot when it is booted on Compute Engine.


  • The source VM must use a supported operating system. For a list of operating systems supported for migration from UEFI to Shielded VMs, see Supported operating systems.


Support for migrating to UEFI-based VMs is limited in the following ways:

  • Custom certificates (such as when the kernel is manually signed) aren't supported. Your source VM must be signed by an authority supported by Google Cloud. If the VM is not signed by a supported CA, boot may fail. If this happens, check the log for a security violation.

How UEFI-based VM migration works

  1. When beginning migration, Migrate for Compute Engine identifies whether the source VM is UEFI- or BIOS-based. If the VM is using UEFI, it will be migrated to a Compute Engine VM that uses UEFI.
  2. If Secure Boot was specified in the runbook, Migrate for Compute Engine will enable Compute Engine will enable Secure Boot on the migrated VM.
  3. Compute Engine will boot the migrated VM.
  4. After detaching, you can optionally enable other Shielded VM features, such as vTPM and integrity monitoring.

Migrating UEFI-based VMs

  1. Create a runbook that includes the UEFI-based VMs you want to migrate.
  2. For each UEFI-based VM in your runbook, specify whether the VM should be booted with Secure Boot. The runbook provides the following fields specific to UEFI-based VMs. For more runbook fields, see the Runbook reference.
    Field Required Format Description
    BootFirmware No. UEFI or BIOS Included by Migrate for Compute Engine when the runbook is generated. Where this value is UEFI, you can enable Secure Boot for the migrated VM on Compute Engine by specifying TRUE in the GcpSecureBoot column.

    Values include UEFI for UEFI-based source VMs and BIOS for vSphere BIOS VMs, AWS, and Azure VMs.

    GcpSecureBoot No. TRUE or FALSE. Default is FALSE. Use TRUE to specify that a UEFI-based source VM should have Secure Boot enabled after it is migrated. Default is FALSE. The BootFirmware field must be set to UEFI in order for a GcpSecureBoot TRUE value to be accepted.
  3. Migrate in waves.

    Note that Secure Boot is not enabled during migration streaming. For VMs marked in the runbook to have Secure Boot enabled, Migrate for Compute Engine will enable Secure Boot after detach.

  4. After detaching, optionally enable additional Shielded VM features.