After creating an attestation profile, you must associate it with the TPM-based template. This ensures that the gateways you enroll using the TPM-based template are tamper-detectable.
You must have a valid attestation profile.
- From the VMware Pulse IoT Center console, go to Security > Profiles.
- Copy the Profile ID of the attestation profile that you have created.
- Go to Device Templates and click the TPM-based template that you have created.
- Scroll down to the Custom Properties section and click the edit icon.
- In the Edit Custom Property window, click the edit icon against the security-profile-id.
- Paste the Profile ID under the Default Value text box. Click DONE.
- Click SAVE to save the changes.
- Next, configure the TPM attestation level in your gateway. Run the following command to open the iotc.cfg file:
- Set the TPM attestation level to full:
tpmAttestationLevel = fullNote: If you want to enable only boot attestation, then set
tpmAttestationLevel = boot. If you want to enable both runtime and boot attestation, set
tpmAttestationLevel = full.
You have successfully associated the attestation profile to your TPM-based device template. You can now onboard your gateway using the TPM-based template.
What to do next
- TPM Boot Attestation Succeeded
- Runtime Boot Attestation Succeeded
If there is an attestation failure, verify the following:
- Verify the Alerts tab for any alerts corresponding to the boot or runtime attestation.
- Verify the Properties tab of the device.
If there is a boot failure, the cause of the error is displayed. For example:
boot-is-tampered true boot-tamper-details: "PCR8 mismatched."For a run-time failure, the cause of the error is displayed. For example:
runtime-is-tampered true runtime-tamper-details: "Files with mis-matched digests: /etc/chrony.conf"