Configuration TPM ESXI 7

Configuration TPM ESXI 7

3 juin 2022 Non Par admin

Symptômes

Upgrading the VxRail cluster to the 4.7.x version family, which includes vCenter version 6.7.

After upgrading to VxRail Code 4.7.x, ESXi hosts in the cluster have an alert which states: TPM 2.0 device detected but a connection cannot be established.

Cause

For more information about Trusted Platform Module (TPM) version 2.0 in the vCenter 6.7 environment, read VMware documentation at https://docs.vmware.com/en/VMware-vSphere/6.7/com.vmware.vsphere.security.doc/GUID-10F7022C-DBE1-47A2-BD86-3840C6955057.html.

The ESXi host’s BIOS must be configured to use the SHA256 hashing algorithm in order to support TPM. The alert can result from the advanced BIOS settings of the ESXi host, not being set to the default of SHA1 or other BIOS settings. 

Résolution

***Check that these BIOS changes outlined in this article are appropriate for your specific environment***

The steps below are to be performed on each affected node, one at a time. Before placing nodes into Maintenance Mode, ensure that the cluster is healthy. Ensure there is not an active VSAN resynchronization, and that there are adequate resources available for VM Migration. Ensure enough free VSAN space is available for fault tolerance.

  1. Place the host into Maintenance Mode in vCenter using ‘Ensure Accessibilty’.
  2. Use IDRAC or BMC to open a console to the host. Reboot the host and enter BIOS settings, when available, by pressing F2 for System Setup >  System BIOS. 
  3. Go to the boot settings and take the screenshot for the UEFI Boot Sequence.
  4. Reset BIOS settings to default by clicking the « Default »  button. (Note: Resetting BIOS setting to default may change the BIOS boot order.)

kA2f1000000KBqvCAG_2_0

5. Enter System Security
   a. ‘TPM Security’ should be ‘On’.
   b. ‘TxT’ should be ‘On’.

kA2f1000000KBqvCAG_2_1

!!!! Note!!!!

If there is only the Off option at Intel TXT field, set Secure boot enabled using KB#000158364  and set SHA-256 (Step 6 of this KB) first, then turn Intel(R) TXT on.
Article 000158364 requires other changes, log a service request with Dell Technologies.

kA2f1000000KBqvCAG_2_2

6. Enter ‘TPM Advanced Settings’
   a. TPM PPI settings should be ‘Disable’.
   b. ‘TPM2 Algorithm Selection’ should be ‘SHA256’.
kA2f1000000KBqvCAG_2_3
7. Verify that Secure Boot is set to « Enabled ».
kA2f1000000KBqvCAG_2_4
8. Verify that BIOS settings are correct. 
9. Go to the Boot settings –>UEFI Boot Sequence and change the boot order again as per your taken screenshot. (Generally AHCI controller in…: ESXI operating system will be the first boot)
10. Exit the BIOS settings, which will reboot the node. Wait for the node to boot completely.
11. In vCenter, if the host shows disconnected, right-click on the host icon, select ‘Connection’ and reconnect the host before exiting Maintenance Mode.
12. Clear any alerts, retest, check once again for overall cluster health, VSAN resynchronization, sufficient resources available, and go to the next host.

Renseignements supplémentaires

If it is not possible to change TPM algorithm to SHA256, try it with Intel(R) TXT disabled.
If there is still an alarm even after reboot, disconnect and then reconnect the host from vCenter. 

**** No need to put the host into maintenance mode when disconnecting the host from vCenter.

Note:  there is indication that vCenter versions @ 6.7u3F or below have a defect that causes TPM attestation to show « internal error »
kA2f1000000KBqvCAG_5_0


Fix:  upgrade to vCenter 6.7U3G or higher.
Then disconnect and reconnect each ESXi host.

Propriétés de l’article

Produit touché

VxRail Appliance Family

Produit

Pivotal Ready Architecture, VxRail 460 and 470 Nodes, VxRail Appliance Family, VxRail Appliance Series, VxRail G410, VxRail G Series Nodes, VxRail E Series Nodes, VxRail E560, VxRail G560, VxRail G560F, VxRail Gen2 Hardware, VxRail P Series NodesVoir plus

CatégorieDELL EMC Virtualisation Vmware