Highlighted
Enthusiast
Enthusiast

Host TPM attestation alarm ESXi 7.0

Jump to solution

I am trying to bring up a couple of ESXi 7.0 hosts with attestation and add them to a VCSA. Install is unremarkable, except the hosts keep failing attestation. I also keep getting the titled error in vCenter, after adding the hosts.

The summary on the TPM alert just says "Internal Error." The document that I found on "internal error" was this (https://vinfrastructure.it/2019/11/esxi-6-7-tpm-support-on-dell-emc-poweredge-server/ ) which points to "the TPM settings in the BIOS are not correct."

I checked the TPM in ESXi as best as I could figure, everything seems to come back clean (screen shot attached) except for these 2 lines, that seem funny, but do not generate any errors:

tpmDriver: Tpm2CheckInterface:615: TPM does not appear to be speaking the 2.0 protocol (interfaceType = 0xf).

tpmDriver: Tpm2CheckInterface:616: Continuing on best effort basis using the 2.0 protocol.

I never had this issue on 6.7 and have regenerated all keys in BIOS, I have added the VMWare key "vmware_sb2017.der" per KB 2148532 (https://kb.vmware.com/s/article/2148532)to my "Authorized Signatures" in the Secure Boot part of the BIOS (I also tried with standard settings), renewed certs on the hosts, and generated certs in VCSA (option 4),

I have also, disconnected and reconnected hosts multiple times and rebooted everything.

I really do not know what else to do, because according to the hosts, they seem to be passing and loading everything, but VCSA keeps telling me not.

Motherboard is Supermicro X11Dpi-NT. It is Supermicro's TPM 2.0 chip AOM-TPM-9670V-S (IFX).

I am attaching screen shots of the BIOS settings and CLI.

I am also seeing this warning, "Unable to provision Endorsement Key on TPM 2.0 device: No RSA Endorsement Key certificate found in TPM 2.0 device's non-volatile memory." and have no idea what this means or if it is related (I never saw this on 6.7).

Any ideas? Whatever I have tried so far, keeps coming back to the same result.

Any help would be appreciated.

0 Kudos
1 Solution

Accepted Solutions
Highlighted
Enthusiast
Enthusiast

The problem was resolved with an RMA to Supermicro for the TPM chips. The replacement TPM chips booted with no problem and passed attestation. I requested further information on the returned chips to understand exactly what the issue was. If I get more information, I will

post it here.

View solution in original post

0 Kudos
2 Replies
Highlighted
Enthusiast
Enthusiast

I overwrote the hosts with ESXi 6.7 U3, and installed a VCSA 6.7 (last versions on both), and the same issue reproduced. Same errors and behavior, so my earlier comment on 6.7 is not valid. I have hosts passing attestation with 6.7, but they are an X10 chipset rather than X11 (Intel C622).

0 Kudos
Highlighted
Enthusiast
Enthusiast

The problem was resolved with an RMA to Supermicro for the TPM chips. The replacement TPM chips booted with no problem and passed attestation. I requested further information on the returned chips to understand exactly what the issue was. If I get more information, I will

post it here.

View solution in original post

0 Kudos