1 Reply Latest reply on May 10, 2016 5:53 PM by JMills

    TPM chip and ESXi 5.5

    Robertradz Lurker

      Hello,

       

      I have question about proper enabling TPM functionality in VMWare.

      I installed TPM chip in Cisco blade UCS B200-M3 and I enabled TXT and TPM functionality in BIOS according to Cisco user manual.

      Blade rebooted with no problems and bios does show TPM configured (attached screenshot).

      Unfortunately I can not figure out how to enabled TPM functionality in VMWare.

       

      The esxcli command shows lack of TPM:

      # esxcli hardware trustedboot get

         Drtm Enabled: false

         Tpm Present: false

       

      The query "QueryTpmAttestationReport" in webinterface of the ESXi and vCenter

      does not show any PCR entries (screenshot attached). In addition bios shows entry "TPM Owner status: unowned".

      I can not find any option/setting in vCenter or ESXi to manipulate with TPM functionality.

       

      I searched through KBs in Cisco and VMWare and I can not find any specific information about troubleshooting TPM in ESXi or vCenter. 

       

      I would appreciate some help in this matter.

       

      Thank you,

      Robert

        • 1. Re: TPM chip and ESXi 5.5
          JMills Master

          VMware ESXi takes ownership of the TPM at boot, but only if the TPM is in an "Enabled, Activated, Un-Owned" state.

           

           

          TPM ownership can be cleared ("TPM Clear") manually at any time, provided the right type of access is available. For every system I've encountered, this requires Assertion of Physical Presence (of the person reconfiguring the TPM) typically by interacting with the BIOS directly, and at least one trip through ACPI S5-G2 to execute the TPM Clear + TPM Disable and (as a consequence) shut off Intel TXT features. Most systems' TPMs allow a TPM Owner initiated "TPM Clear at next reboot" by communicating with the TPM through the operating system layer (but you must have access to the current TPM Owner credential to do this).


           

          Once cleared, the TPM will be in an "Un-Enabled, Un-Activated, Un-Owned" state.


           

           

          In order to make the TPM "useful" again (to VMware ESXi or another operating system), a second Assertion of Physical Presence (of the person reconfiguring the TPM) is required, again typically by interacting with the BIOS directly, and at least one trip through ACPI S5-G2 to execute the TPM Enable + Activate sequence. Another trip through BIOS and/or ACPI S5-G2 may be required to (re-)Enable Intel TXT features.


           

          Once completed, the TPM will be in an "Enabled, Activated, Un-Owned" state, ready for an operating system layer Ownership Assertion.


           

           

          A few of the BIOS implementations I have seen allow the human administrator to chain several common platform / TPM actions together, reducing the number of human-interactive steps required:

          • TPM Clear chained with subsequent TPM Enable + Activate
          • TPM Enable chained with subsequent Intel TXT Enable

           

          A few of the systems allow Assertion of Physical Presence by proxy, e.g. using a vendor-supplied automation tool communicating with the IPMI/BMC layer of the system, rather than a human interacting on "Local Console" with the BIOS.

           

           

          There are some details I glossed over (you must be using a TCG TPM v1.2 part, it must be pre-configured by the vendor with specific traits, etc…) which shouldn't be of concern in your specific example (Cisco UCS B-Series using Cisco supplied TPM miniboard).

           

          -- (that) JMills

           

          FWIW, I'm very rarely logged-in to the VMTN Forums -- an artifact of a change in focus over the years.