Dell EMC PowerEdge Server TPM Support on vSphere 7.0
TPM stands for Trusted Platform Module. It is a chip that provides basic security functions on a hardware basis. It can be used to ensure the integrity of a system and platforms such as computers and servers or other electronic devices like smartphones. The chip is protected against manipulation by security mechanisms and, for example, generates, provides, stores or controls the use of cryptographic keys.
TPM 2.0 is supported on all 13th Gen and 14th Gen Dell EMC PowerEdge servers including the latest AMD servers. Note that is not enabled by default. TPM 2.0 is enabled and supported with VMware vSphere 7.0.
But if you enable TPM 2.0 on DellEMC PowerEdge server you may get an Host TPM attestation alarm because the configuration may be wrong.
In this case, on your host, you will notice a critical error like this:
The vSphere Client does not provide any other information, neither at task or event level.
First Step: finding the reason of this issue, so you have to change the view on the datacenter:
- Navigate to a data center and click the Monitor tab.
- Click Security.
- Review the host’s status in the Attestation column and read the accompanying message in the Message column.
If you notice Internal failure under Message than the TPM settings in the BIOS are not correct. You need to reboot your server and reconfigure it.
Use IDRAC (or the physical console) to open a console to the host. Reboot the host and enter BIOS settings, when available, by hitting F2. Note that you can also select the next boot option directly from the iDRAC console.
Then choose System Setup > System BIOS
- TPM Security must be enabled (but if you got the previous error in vSphere it’s already enabled).
- TPM Information must be “2.0 NTC”, but TPM Firmware could also be older.
- If the server has already been used with TPM functions, could be useful select “TPM Hierachy Clear” on TPM Hierarchy.
Then you have to click on TPM Advanced Settings link:
TPM PPI settings should be disabled and TPM2 Algorithm Selection should be SHA256.
- If TPM2 Algorithm Selection is not present you need to save the configuration and reboot you system. Then enter in the BIOS again.
- If it is not possible to change TPM algorithm to SHA256, try it with Intel(R) TXT disabled. Intel TXT could be On of Off depending by your vSphere release. If there is only Off option at Intel TXT field, enable Secure boot and set SHA-256 first, then turn Intel(R) TXT on.
Last Step: Reboot the host and clear the alarm.
If there is still an alarm even after reboot, disconnect and then re-connect the host from vCenter. Note that there is no need to put the host into maintenance mode when disconnecting host from vCenter (neither for a vSAN environment).
And that’s it, if you have any questions please leave it in the comments. 🙂