For ESXi, Secure Boot is possible using the digital signature of all VIB components, like a cryptographic assurance. By utilizing that computerized endorsement in the host UEFI firmware, at boot time, the approved ESXi VMkernel will in this way approve each VIB against the same certificate:

When ESXi Secure Boot is enabled, you will not be able to install unsigned code on ESXi forcibly.

For more information on how to enable this feature and some possible issues, for example, during the upgrade process, see the following post: https://blogs.vmware.com/vsphere/2017/05/secure-boot-esxi-6-5-hypervisor-assurance.html.