ESXi 7 and TPM 2.0 - Host TPM attestation alarm explanation

    With ESXi 7, new or 6.x upgraded systems, there are couple of changes introduced at host hardware security tampering level using Trusted Platform Module (TPM) chip. Occasionally, alarm, which is seen inside vCenter console, looks like on below picture (myself encountered this with Dell PowerEdge hardware):


    Per this VMware LINK 1 TPM 2.0 chip provides, using configured UEFI secure boot, successful attestation, verified remotely by vCenter system, based on stored measurements of the software modules booted in the ESXi system. Specifically, from vSphere v7 new "vSphere Trust Authority Attestation Service is introduced, which signs a JSON Web Token (JWT) that it issues to the ESXi host, providing the 
assertions about the identity, validity, and configuration of the ESXi host" - giving option to build something like completely Trusted infrastructure inside vSphere LINK 2.
But, before that could happen, couple of requirements are mentioned:
  • vCenter/ESXi minimum version 6.7,
  • UEFI secure boot enabled,
  • SHA-256 hashing enabled at TPM level,
  • If available TIS (TPM Interface Specification) / FIFO (First-In, First-Out) interface and not CRB (Command Response Buffer) should be configured,
  • Intel Trusted Execution Technology (TXT) should be ENABLED - yes, it's implemented from ESXi v7 onwards.
I bolded out settings which needed to be changed for my specific Dell HW.

    In case you fulfil  required software and hardware requirements - I don't see any specific reason not using them, for full security power inside DC infrastructure 👍


vSphere 8 UPDATE - TPM 2.0 behaviour

    It seems that above requirements still works with vSphere v8 family, with new capabilities and features, introducing additional monitoring and troubleshooting options, inside vCenter v8 LINK 3.



Comments

Popular posts from this blog

NSX ALB LetsEncrypt with DNS-01 challenge - BIND example

VMware SD WAN - multiple locations - LAN IP address space overlapping with NAT

NSX-T Layer 2 bridging - scenarios & use cases