Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
7833
Views
15
Helpful
8
Replies

UCSX-TPM2-002 not supported for ESXi 7.0 U2 TPM Encryption?

DRAGONKZ
Level 1
Level 1

‎07-24-2021 05:23 PM

've got some B200 M4s and C220 M5s and all are running the Cisco TPM 2.0 (UCSX-TPM2-002)

 

The modules are functioning fine and are reported correctly but don't appear to work with the new TPM Encryption feature in ESXi 7.0 U2.

 

vCenter throws up a nice "TPM Encryption Recovery Key Backup Alarm" for any host that has a TPM 2.0 and has been updated to 7.0 U2... an article explaining how to test/enable this feature is here -->  https://docs.vmware.com/en/VMware-vSphere/7.0/com.vmware.vsphere.security.doc/GUID-82C6B841-8B38-4D7D-8EFA-83AB1605F59D.html 

 

The link above mentions that "The esxcli system settings encryption set command fails on some TPMs, such as those from NationZ (NTZ) and Infineon Technologies (IFX), even when the TPM is enabled for the host."

 

Is the Cisco TPM 2.0 expected to work with this new TPM Encryption feature set or is it using a NTZ/IFX chip and therefore will not be able to work?

 

Thanks

8 Replies 8

Kirk J
Cisco Employee
Cisco Employee

‎07-25-2021 05:48 AM - edited ‎07-25-2021 05:58 AM

I believe they are Infineon based.

Hopefully the limitations  seen in 7.0U2 get resolved in future ESXi patch.

Please open a TAC case, so we can take a look at your specific environment.

 

Kirk...

DRAGONKZ
Level 1
Level 1

‎07-25-2021 08:00 PM

Hi Kirk,

 

I'm running these in a home lab so unfortunately don't have the option to log a TAC ticket.

 

The issue should be reproduceable simply be enabling the TPM in 2.0 mode, and installing ESXi 7.0 U2. (This new TPM security mode is only tried to be enabled after a new install or upgrade to 7.0 U2) PPI Spec 1.2 or 1.3 for the TPM makes no difference.

 

You can run the following command on a host to check its state after install/upgrade to 7.0 U2.  "esxcli system settings encryption get"

 

If mode is "NONE" then its not using the TPM 2.0.

 

You can run "esxcli system settings encryption set --mode=TPM" to try and reconfigure it to use the TPM 2.0, but in my case below it fails.

 

If you guys don't have an option to test internally then I can try to find someone else I know who has a similar setup to me (but in production and a smartnet contract) to log the ticket.

 

Thanks

 

Preview file
38 KB

DRAGONKZ
Level 1
Level 1

‎10-27-2021 03:59 PM

Just posting an update, this appears to have been fixed with vSphere 7 Update 3.

Infineon chips are now supported and I've confirmed the TPM 2.0 in a M5 server was able to be swapped over to TPM enforcement.

I'll test this on a M4 server with a TPM 2.0 a bit later today.

0 Helpful

Art Astafiev
Level 1
Level 1

‎09-28-2022 05:33 AM

Hi. I am trying to install new UCSX-TPM2-002B modules to my UCS-C220-M5 servers and keep getting alarms in vMware. So far have TAC case open for 3 months with no success. Can you please share how your BIOS settings are configured in BIOS > Advanced > Trusted Computing section and other places. I am on the latest BIOS for M5 (4.2.2f) and also on the latest ESXi version 7.0.3f

0 Helpful

DRAGONKZ
Level 1
Level 1

‎09-28-2022 04:13 PM - edited ‎09-28-2022 04:14 PM

What alert is you seeing in vCenter?

Are they configured to boot as UEFI? Are they configured to use secure boot?

Are you trying to configure TPM sealing? If so, run this command on a ESXi host and let me know the output:

esxcli system settings encryption get

 

Thanks

0 Helpful

Art Astafiev
Level 1
Level 1
In response to DRAGONKZ

‎09-29-2022 06:31 AM

Finally yesterday I was able to reach the point when VMware stop alerting me on this host TPM issue. Now I will do 2nd server and would like to document procedure for Cisco community. What is not clear for me - which BIOS settings are "best practice" to be enabled. For example - it is clear that SHA256 bank need to be enabled, but do I need to keep SHA-1 bank enabled also? Or do I need enable "TPM Minimal Physical Presence"? Do I need Platform Hierarchy enabled? Do I need Storage Hierarchy enabled? Do I need Endorsement Hierarchy enabled?  So far I am leading to following configuration, but is it "best practice" or not I have no idea. I should probably ask TAC for their opinion. 

 

0 Helpful

DRAGONKZ
Level 1
Level 1

‎10-01-2022 08:07 PM

If you're doing a clean install/upgrade to 7.0 U3 then the only alert I would expect to see is related the TPM recovery key backup.

Is this the alert you were getting?

I configure my setup as the following:

UEFI Boot Mode

Secure Boot Enabled

The attached screenshots show the other settings related to TPM config.

With this setup TPM attestation has worked since vSphere 6.7, and TPM sealing works since 7.0 U3

Preview file
37 KB
Preview file
12 KB
0 Helpful

Art Astafiev
Level 1
Level 1

‎10-03-2022 06:05 AM

Thank you for sharing information. I did separate post on my experience on UCS-C220-M5 servers. Just leaving link here in case if someone need it.

https://community.cisco.com/t5/unified-computing-system-discussions/configure-tpm-module-ucsx-tpm2-002b-in-ucs-c220-m5/td-p/4696399

 

0 Helpful
Customers Also Viewed These Support Documents

Review Cisco Networking for a $25 gift card

Review Cisco Networking for a $25 gift card