PowerEdge: Troubleshooting Trusted Platform Module (TPM) Secure Boot, and ESXi

• The host status in the Attestation column shows "Host Secure Boot was disabled"
• Trusted Platform Module (TPM) 2.0 device detected but a connection cannot be established
• The host status in the Attestation column shows "N/A"
• When using a TPM 2.0 (Trusted Platform Module) device on an ESXi host, the host fails to pass the attestation phase
• The error message is "Unable to provision Endorsement Key on TPM 2.0 device: Endorsement Key creation failed on the device"

Troubleshooting TPM and Secure Boot Issues on Dell Servers

Table of Contents:

Introduction
Prerequisites
Troubleshooting TPM and Secure Boot Issues
Troubleshooting Attestation Issues
Enabling TPM Hierarchy

Introduction

This knowledge base article provides step-by-step instructions to troubleshoot and resolve common issues related to Trusted Platform Module (TPM) and Secure Boot on Dell servers. These issues can hinder proper attestation and system functionality. Follow the instructions outlined in this document to ensure the optimal performance of your Dell server.

Prerequisites

• Make sure the TPM 2.0 device is detected and healthy from the iDRAC.
• Ensure that UEFI, TPM, and Secure Boot are enabled.
• Use TPM 2.0 algorithm "SHA256," enable Intel TXT 

For detailed information and troubleshooting guidance regarding the issue of "TPM 2.0 device detected but a connection cannot be established," see article 000193231 available here:

PowerEdge: Error on ESXi 7.0 TPM 2.0 device detected but a connection cannot be established
 

Troubleshooting TPM and Secure Boot Issues

How to Enable Secure Boot

1. View the ESXi host alarm status and accompanying error message.
2. Connect to vCenter Server using the vSphere Client.
3. Select a data center and click the Monitor tab.
4. Click Security.
5. Review the host status in the Attestation column and read the accompanying message in the Message column.
6. If the error message is "Host Secure Boot was disabled," follow these steps to resolve the issue:
   • Verify whether Secure Boot can be enabled. If it cannot be enabled, contact Dell Tech Support.
   • To enable Secure Boot, follow these steps:
     • From the VMware vCenter vSphere Client, move one node to Enter Maintenance Mode.
     • Log in to iDRAC to configure Secure Boot, and select the Configure tab > BIOS Settings > System Security > TPM Advanced Settings.
     • Select Secure Boot "enable" and click Apply > OK > Apply and Reboot.
     • Click Job queue. Wait for all jobs to complete 100%.
     • Log in to the VMware vCenter vSphere Client and set the node to Exit Maintenance Mode.
   • Perform Step 6 on each node until all nodes have Secure Boot enabled from iDRAC.
   • Log in to VMware vCenter vSphere Client and select the data center.
   • Click the Monitor tab > Security to verify that the latest Attestation status shows "Passed."
   • If you see an alarm with a red icon, select it and click RESET TO GREEN.

How to Enable TPM and Secure Boot

1. View the ESXi host alarm status and accompanying error message.
2. Connect to VMware vCenter Server using the VMware vSphere Client.
3. Select a data center and click the Monitor tab.
4. Click Security.
5. Review the host status in the Attestation column and read the accompanying message in the Message column.
6. If the error message is "N/A," you must enable TPM and Secure Boot to resolve the issue.
   • Verify whether Secure Boot can be enabled. If it cannot be enabled, contact Dell Tech Support.
   • To enable TPM and Secure Boot, follow these steps:
     • From the VMware vCenter vSphere Client, move one node to Enter Maintenance Mode.
     • Log in to iDRAC to configure Secure Boot, and select the Configure tab > BIOS Settings > System Security > TPM Security "On" > TPM Advanced Settings.
     • Select Secure Boot "enable" and click Apply > OK > Apply and Reboot.
     • Click Job queue. Wait for all jobs to complete 100%.
     • Go to Dashboard > Virtual Console to see if the console shows "successfully completed." If yes, continue.
     • Log in to VMware vCenter vSphere Client and disconnect the node.
     • Reconnect the node, and then Exit Maintenance Mode.
   • Perform Steps 6 on each node until all nodes have TPM and Secure Boot enabled from iDRAC.
   • Log in to VMware vCenter vSphere Client and go to the data center.
   • Click the Monitor tab > Security to verify the latest Attestation message as "Passed."
   • If you see an alarm with a red icon, select the specific Triggered Alarm and click RESET TO GREEN.

Host Attestation Issues

When using a TPM 2.0 device on an ESXi host, it may fail attestation without detailed vSphere Client information. To troubleshoot this issue, follow these steps:

1. Navigate to a data center and click the Monitor tab.
2. Click Security.
3. Review the host’s status in the Attestation column and read the accompanying message in the Message column.

Now, depending on the error message you encounter, you can identify a solution:

• If the error message is Host Secure Boot was disabled, see the How to Enable Secure Boot section to resolve this issue. Ensure Secure Boot is functioning first.
• If the attestation status of the host is failed, check the vCenter Server log for the following message: "No cached identity key, loading from DB." This message indicates that you are adding a TPM 2.0 chip to an ESXi host that vCenter Server already manages. You must first disconnect the host, then reconnect it.

How to Enable Hierarchy

If the error message is "Unable to provision Endorsement Key on TPM 2.0 device: Endorsement Key creation failed on the device," you must enable TPM Hierarchy to resolve the issue. Follow these steps to enable TPM Hierarchy:

1. View the ESXi host alarm status and accompanying error message.
2. Connect to VMware vCenter Server using the VMware vSphere Client.
3. Select a data center and click the Monitor tab.
4. Click Security.
5. Review the host’s status in the Attestation column and read the accompanying message in the Message column.
6. If the error message is "Unable to provision Endorsement Key on TPM 2.0 device: Endorsement Key creation failed on the device," you must enable TPM Hierarchy to resolve the issue.
7. If you see an alarm with a red icon, select the specific Triggered Alarm and click RESET TO GREEN.
8. To enable TPM Hierarchy, follow these steps:
   • From the VMware vCenter vSphere Client, move one node to Enter Maintenance Mode.
   • Log in to iDRAC to configure Secure Boot, and select the Configure tab > BIOS Settings > System Security > TPM.
   • Select TPM Hierarchy "Enable" and click Apply > OK > Apply and Reboot.
   • Click Job queue. Wait for all jobs to complete 100%.
   • Go to Dashboard > Virtual Console to see if the console shows "successfully completed." If yes, continue.
   • Log in to the VMware vCenter vSphere Client and select Exit Maintenance Mode.
9. Perform Steps 7 and 8 on each node until all nodes have TPM Hierarchy enabled from iDRAC.
10. Log in to VMware vCenter vSphere Client and select a data center.
11. Click the Monitor tab > Security to verify the latest Attestation message as "Passed."

Contact us if the troubleshooting steps did not resolve the issue.