TPM

Clearing TPM alarms after replacing TPM chip or resetting TPM keys for ESXi

06.07.2023 by William Lam // 10 Comments

If you have a supported Trusted Platform Module (TPM) device that has been installed in your ESXi host after the initial installation and you either replace the TPM chip and/or you reset the TPM keys within the system BIOS, you may find several TPM alarms that is raised within your vCenter Server including:

Host TPM attestation alarm
TPM Encryption Recovery Key Backup Alarm
The new host TPM endorsement key doesn't match the one stored in the DB

I recently had to resolve this in my lab after clearing the TPM keys within the system BIOS, this was for some testing I was doing, but I could not figure out how to get vCenter Server to clear the previous endorsement keys associated with the ESXi host.

After a bit of searching, I came across this VMware KB 81446 which outlines a solution to one the scenarios I mentioned above where you would see these TPM alarms, which is replacing the TPM chip, but I came to find out that the workflow is also applicable if you had cleared the TPM keys and new ones were generated prior to re-installing ESXi. The KB was missing a some details, which I have already shared in the feedback and I think there is a more streamline method which I have shared below.

[Read more...]

Quick Tip - TPM 2.0 connection cannot be established after upgrading to ESXi 8.0

10.18.2022 by William Lam // 8 Comments

There has been several reports from folks internally and within the community that after upgrading to ESXi 8.0, they are now seeing the following TPM error message:

TPM 2.0 device detected but a connection cannot be established.

The common theme between all these reported cases that I have seen is that they are all using an Intel NUC. While the Intel NUCs may list TPM support, they do not support either TPM Interface Specification (TIS) for TPM 1.2 or the First In, First Out (FIFO) for TPM 2.0, which are industry standards for communicating with a TPM device that ESXi uses.

[Read more...]

Quick Tip - Adding a vTPM (Virtual Trusted Platform Module) to a Nested ESXi VM

05.13.2022 by William Lam // 3 Comments

I had an interesting question this morning asking whether it was possible to add a vTPM (Virtual Trusted Platform Module) to a Nested ESXi VM? The user was interested in testing a particular scenario with the new vSphere Trust Authority feature that was introduced in the vSphere 7.0. I personally had not done much with vTPM and I had assumed it should just work as long as you have a physical TPM chip in the underlying hardware and you have setup either a Standard or Native Key Provider within your vCenter Server.

The user observed that adding a vTPM to a Windows VM was possible using the vSphere UI but when attempting to perform the same operation on a Nested ESXi VM, the option to add vTPM device was not available. After spending ~30 minutes asking around for hardware that had a physical TPM, I remember that my Quartz Canyon NUC (NUC 9 Pro) is a Xeon based system and it has TPM 2.0 chip. I was able to take a closer look and quickly found the solution was very pretty straight forward!

[Read more...]