For ESXi, secure boot is possible using the digital signature of all VIB components, like a cryptographic assurance. By leveraging that digital certificate in the host UEFI firmware, at boot time, the validated ESXi VMkernel will subsequently validate each VIB against the same certificate:

For more information on how to enable this feature and some possible issues such as during the upgrade process, see the following post at https://blogs.vmware.com/vsphere/2017/05/secure-boot-esxi-6-5-hypervisor-assurance.html.