cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements
Field Notice 70545
427
Views
15
Helpful
2
Replies
DRAGONKZ
Beginner

UCSX-TPM2-002 not supported for ESXi 7.0 U2 TPM Encryption?

've got some B200 M4s and C220 M5s and all are running the Cisco TPM 2.0 (UCSX-TPM2-002)

 

The modules are functioning fine and are reported correctly but don't appear to work with the new TPM Encryption feature in ESXi 7.0 U2.

 

vCenter throws up a nice "TPM Encryption Recovery Key Backup Alarm" for any host that has a TPM 2.0 and has been updated to 7.0 U2... an article explaining how to test/enable this feature is here -->  https://docs.vmware.com/en/VMware-vSphere/7.0/com.vmware.vsphere.security.doc/GUID-82C6B841-8B38-4D7D-8EFA-83AB1605F59D.html 

 

The link above mentions that "The esxcli system settings encryption set command fails on some TPMs, such as those from NationZ (NTZ) and Infineon Technologies (IFX), even when the TPM is enabled for the host."

 

Is the Cisco TPM 2.0 expected to work with this new TPM Encryption feature set or is it using a NTZ/IFX chip and therefore will not be able to work?

 

Thanks

2 REPLIES 2
Kirk J
Cisco Employee

I believe they are Infineon based.

Hopefully the limitations  seen in 7.0U2 get resolved in future ESXi patch.

Please open a TAC case, so we can take a look at your specific environment.

 

Kirk...

DRAGONKZ
Beginner

Hi Kirk,

 

I'm running these in a home lab so unfortunately don't have the option to log a TAC ticket.

 

The issue should be reproduceable simply be enabling the TPM in 2.0 mode, and installing ESXi 7.0 U2. (This new TPM security mode is only tried to be enabled after a new install or upgrade to 7.0 U2) PPI Spec 1.2 or 1.3 for the TPM makes no difference.

 

You can run the following command on a host to check its state after install/upgrade to 7.0 U2.  "esxcli system settings encryption get"

 

If mode is "NONE" then its not using the TPM 2.0.

 

You can run "esxcli system settings encryption set --mode=TPM" to try and reconfigure it to use the TPM 2.0, but in my case below it fails.

 

If you guys don't have an option to test internally then I can try to find someone else I know who has a similar setup to me (but in production and a smartnet contract) to log the ticket.

 

Thanks

 

Create
Recognize Your Peers
Content for Community-Ad