Showing results for 
Search instead for 
Did you mean: 

Configure TPM module UCSX-TPM2-002B in UCS-C220-M5

Art Astafiev

Configure UCS M5 server hardware for TPM module.
This procedure is written for situation when new TPM module UCSX-TPM2-002B is installed in UCS C220 M5 server which didn’t have TPM module before, so you may need to adapt this process to your particular scenario. My UCS servers were at 4.1.3d firmware package at the beginning of this work and was upgraded to 4.2.2f firmware package during this process.
Also I would like to mention that during steps below when I say “Boot to OS” I mean boot to simple Linux OS. Even if I have VMware ESXi on these servers I found it useful to download simple CentOS boot ISO and attach it to virtual KVM DVD to be able to boot to this CentOS instead of VMware ESXi. This save a lot of time and also at some moments you will need to apply configuration via CICM which cause immediate reboot. I didn’t want to crash my ESXi boot, so I used this small trick. I found that CICM do not update its settings if you change something in the BIOS and then during next boot go to BIOS again. You need to initiate boot to OS process for CIMC to update it settings.

So, below are steps which I did before TPM module was installed:
1. Restart server to the BIOS (press F2). Go to Security > Administrator Password > enter password > Save and Restart F10. Note - Restart is needed. This will unlock some additional menu options in the BIOS during next login. You cannot proceed with TPM without enabling BIOS password.
2. Before enabling BIOS password in the BIOS section Advanced > Trusted Computing by default “Security Device Support” was enabled and I could not disable it. After BIOS password was enabled I could go to the BIOS Advanced > Trusted Computing and change “Security Device Support” to Disable state. I did this step to prepare system to the new TPM module installation.
3. To fix other vulnerability issues at this point I am upgrading my server to the firmware 4.2.2f which is currently the latest recommended release. After full host upgrade completed I shut down my server and deploy new TPM module in the server.

So, below are steps which I did after TPM module was installed:
1. Boot to BIOS. Go to Advanced > Trusted Computing > Change “Security Device Support” to Enable and then press F10 for Save and Restart.
2. Boot to BIOS again. Go to Advanced > Trusted Computing > set following settings:
SHA-1 PCR Bank = Disable; SHA256 PCR Bank=Enabled; Platform Hierarchy=Enabled; Storage Hierarchy=Enabled; Endorsement Hierarchy=Enabled; TPM Spec Ver=TCG_2; PPI=1.3
F10 for Save and Restart.
3. Boot to OS. Login to CIMC. Go to Inventory>TPM and confirm that you have following settings:
Presence=equipped; Enabled Status=Disabled; Active Status=Deactivated
Then in CIMC go to Compute> Security section. Check box = Reboot Host immediately and set TPM State=Enable. Click Save. This will result in host multiple reboots. Not sure why this operation cannot be done from BIOS level – or I couldn’t find a spot.
4. Boot to BIOS. Go to Advanced > Socket Configuration > Processor Configuration > set Intel TXT to Enable. Press F10 for Save and Restart. You can also enable this feature from CIMC Compute> Security section.
5. Boot to OS. Login to CIMC. Go to Inventory>TPM and confirm that you have following settings:
Presence=equipped; Enabled Status=enabled; Active Status=activated; Ownership=owned
Then in CIMC go to Compute> Security section and confirm that you see Intel Trusted Exchange Technology as Enabled.
Then in CIMC go to Compute> Configure Boot Order and put check box at “UEFI Security Boot” > click Save Changes and confirm that you want to reboot the host. This will result in multiple reboots.
Not sure why this operation cannot be done from BIOS level – option is greyed out in BIOS.
6. This is just verification step and can be skipped. Boot to BIOS and confirm that Secured Boot is now in enabled state.
7. Let VMware ESXi to boot on this host. Remaining changes will have to be done on VMware side.

Below are steps which I did on VMware side to clear alarms after all above steps were completed:
1. Keep host in Maintenance mode.
2. Enable SSH Service on ESXi host (go to Configure>Services> Select SSH > click Start)
3. Establish SSH session to ESXi host and run command “esxcli system settings encryption get”
Confirm that Mode=TPM and Require Secure Boot= True.
If mode is not TPM than run commands “esxcli system settings encryption set --mode=TPM” and command “esxcli system settings encryption set --require-secure-boot=T”
Verify change with “esxcli system settings encryption get”
Save settings by command “/sbin/”
4. Remove ESXi host from vCenter and add it back.
5. If you have TPM Encryption Recovery Key Backup Alarm after adding host to vCenter than reset alarm to Green and restart the host to confirm that alarm is not back.
You may also confirm via SSH that recovery list is fine by running command “esxcli system settings encryption recovery list”
6. This is the end of TPM module installation procedure.

Below are additional procedures which are needed in order to prepare vCenter for ability to create VMs with virtual TPM hardware:
1. Configure vSphere Trust Authority
2. Configuring and Managing a Standard Key Provider in vSphere environment.
3. Configuring and Managing vSphere Native Key Provider
4. Create a Virtual Machine with a Virtual Trusted Platform Module

0 Replies 0
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Recognize Your Peers