TPM Overview

 

ESXi 6.7 이상부터는 TPM 2.0을 지원합니다.

이와 관련하여, 현재 설정 정보를 확인하는 방법 및 설정 관련 정보를 알아보도록 하겠습니다.

 

Prerequisites

To use a TPM 2.0 chip, your vCenter Server environment must meet these requirements:

• • vCenter Server 6.7 or later
  • ESXi 6.7 host or later with TPM 2.0 chip installed and enabled in UEFI
  • UEFI Secure Boot enabled

 

Ensure that the TPM is configured in the ESXi host's BIOS to use the SHA-256 hashing algorithm and the TIS/FIFO (First-In, First-Out) interface and not CRB (Command Response Buffer). 

Please also check and confirm the algorithm is SHA-256 instead of SHA-1 in the e.g. 'TPM Advanced Settings'. Or TPM won't be activated even if you turned it ON in BIOS.

For TPM2.0 and TXT, only SHA-256 is supported.

 

Configuration from Command Line

# /usr/lib/vmware/secureboot/bin/secureBoot.py --check-status Enabled   # /usr/lib/vmware/secureboot/bin/secureBoot.py -c Secure boot can be enabled: All vib signatures verified. All tardisks validated. All acceptance levels validated   # esxcli hardware trustedboot get    Drtm Enabled: false    Tpm Present: true   ## Check TPM2.0 status # vsish -e get /hardware/tpm/present 1   # vsish -e get /hardware/tpm/active 1   # vsish -e get /hardware/tpm/version 2   # vsish -e get /vmkModules/tpmdriver/vendor NTC   ## Check sucureboot status # vsish -e get /hardware/firmwareType  1 -> UEFI   # vsish -e get /secureBoot/status Secure boot status {    Secure Boot attempted:1    Secure Boot successfully completed:1    Secure Boot status set:1    Lowest Acceptance Level:partner }   ## Check TXT status # vsish -e get /hardware/tpm/txt/launched 1

 

Configuration from Support Bundle

./commands/vmware-vimdump_-o----U-dcui.txt =============== 16. vim.HostSystem::ha-host =============== (vmodl.query.PropertyCollector.ObjectContent) [    (vmodl.query.PropertyCollector.ObjectContent) {       dynamicType = <unset>,       dynamicProperty = (vmodl.DynamicProperty) [],       obj = 'vim.HostSystem:ha-host',       propSet = (vmodl.DynamicProperty) [          (vmodl.DynamicProperty) {             name = 'availableField',             val = (vim.CustomFieldsManager.FieldDef) []          },          (vmodl.DynamicProperty) {             name = 'capability',             val = (vim.host.Capability) {                dynamicType = <unset>,                dynamicProperty = (vmodl.DynamicProperty) [],                recursiveResourcePoolsSupported = true,                cpuMemoryResourceConfigurationSupported = true, … … …                perVMNetworkTrafficShapingSupported = false,                tpmSupported = true, ### <-- !!                tpmVersion = '2.0', ### <-- !!                txtEnabled = false, ### <-- !!            (vmodl.DynamicProperty) {             name = 'runtime',             val = (vim.host.RuntimeInfo) {                dynamicType = <unset>, … … …                dasHostState = <unset>,                tpmPcrValues = (vim.host.TpmDigestInfo) [], ### <-- !!                cpuCapacityForVm = <unset>,                      stateEncryption = (vim.host.RuntimeInfo.StateEncryptionInfo) {                   dynamicType = <unset>,                   dynamicProperty = (vmodl.DynamicProperty) [],                   protectionMode = 'tpm', ### <-- !!                   requireSecureBoot = false, ### <-- !!                   requireExecInstalledOnly = false                }             }          },                    gateway = <unset>,                tpmAttestation = <unset>,                trustAuthorityAttestationInfos = (vim.host.TrustAuthorityAttestationInfo) []             }   ./commands/localcli_system-settings-encryption-get.txt EncryptionGet:    Mode: TPM ### <-- !! TPM을 사용하지 않는 환경에서는 Mode: None으로 표시    Require Executables Only From Installed VIBs: false    Require Secure Boot: false

 

ESXi 설치 시점에는 TPM을 활성화하지 않았다가, 나중에 TPM을 활성화 한 경우에는 다음과 같이 수동 설정 필요

# esxcli system settings encryption get    Mode: NONE    Require Executables Only From Installed VIBs: false    Require Secure Boot: false   # esxcli system settings encryption set --mode=TPM   # esxcli system settings encryption get    Mode: TPM    Require Executables Only From Installed VIBs: false    Require Secure Boot: false   # esxcli system settings encryption set --require-secure-boot=T   # esxcli system settings encryption get    Mode: TPM    Require Executables Only From Installed VIBs: false    Require Secure Boot: true

 

[참고 자료]

Securing ESXi Hosts with Trusted Platform Module

https://docs.vmware.com/en/VMware-vSphere/6.7/com.vmware.vsphere.security.doc/GUID-10F7022C-DBE1-47A2-BD86-3840C6955057.html

 

UEFI Secure Boot for ESXi Hosts

https://docs.vmware.com/en/VMware-vSphere/6.5/com.vmware.vsphere.security.doc/GUID-5D5EE0D1-2596-43D7-95C8-0B29733191D9.html

 

Troubleshoot ESXi Host Attestation Problems

https://docs.vmware.com/en/VMware-vSphere/6.7/com.vmware.vsphere.security.doc/GUID-CE69FA70-9C15-4ABD-871F-57D20BF98EEB.html

 

Cannot enable secure boot on host upgraded to ESXi 6.7 (54481)

https://kb.vmware.com/s/article/54481

 

Enable or Disable the Secure Boot Enforcement for a Secure ESXi Configuration

https://docs.vmware.com/en/VMware-vSphere/7.0/com.vmware.vsphere.security.doc/GUID-82C6B841-8B38-4D7D-8EFA-83AB1605F59D.html