diff --git a/baremetal_vm/README.md b/baremetal_vm/README.md
index 3fefaa4..a556daa 100644
--- a/baremetal_vm/README.md
+++ b/baremetal_vm/README.md
@@ -146,6 +146,7 @@ Variables can be stored in the script basedir as `.env` or in any file and use t
 * `DISKSIZE` specifies the disk size to configure for the VM
 * `IMG_TO_USE` specifies an image to locally cache and use for provisioning
   * One option is `https://download.opensuse.org/pub/opensuse/distribution/leap/15.4/appliances/openSUSE-Leap-15.4-Minimal-VM.x86_64-OpenStack-Cloud.qcow2`
+* `IMG_TO_USE_CHECKSUM` specifies the expected sha256 checksum for IMG_TO_USE
 
 NOTE: Also see the [env.example](env.example) file for an example config with all options.
 
diff --git a/baremetal_vm/create_vm.sh b/baremetal_vm/create_vm.sh
index 6310ea8..7eb6e1c 100755
--- a/baremetal_vm/create_vm.sh
+++ b/baremetal_vm/create_vm.sh
@@ -6,6 +6,7 @@ source ../slemicro/common.sh
 source common.sh
 
 IMG_TO_USE=${IMG_TO_USE:-}
+IMG_TO_USE_CHECKSUM=${IMG_TO_USE_CHECKSUM:-}
 
 while getopts 'f:n:h' OPTION; do
 	case "${OPTION}" in
@@ -80,6 +81,13 @@ mkdir -p bmh-image-cache
 IMG_FILENAME=$(basename ${IMG_TO_USE})
 if [ ! -f bmh-image-cache/${IMG_FILENAME} ]; then
   curl -Lk ${IMG_TO_USE} > bmh-image-cache/${IMG_FILENAME}
+
+  # Require checksum validation to ensure image integrity
+  CHECKSUM_ACTUAL=$(sha256sum "bmh-image-cache/${IMG_FILENAME}" | awk '{print $1}')
+  if [ "${IMG_TO_USE_CHECKSUM}" != "${CHECKSUM_ACTUAL}" ]; then
+      die "download sha256 does not match ${IMG_TO_USE_CHECKSUM}, got ${CHECKSUM_ACTUAL}"
+  fi
+
   pushd bmh-image-cache
   md5sum ${IMG_FILENAME} | tee ${IMG_FILENAME}.md5sum
   popd