You can use interfaces from the com.vmware.vcenter.trusted_infrastructure.trust_authority_clusters.attestation.tpm2 package to manage remote attestation configuration for TPM trust.

You can add, list, remove, and retrieve details about TPM CA certificates and TPM endorsement keys. You can also set and retrieve TPM 2.0 attestation settings.

Prerequisites

  • Verify that you have access to a working vSphere Trust Authority environment.
  • Verify that you have Trusted Infrastructure administrative privileges.

Procedure

  1. Add a new TPM CA certificate to a Trusted Cluster to specify a trusted platform OEM by calling the create_Task(java.lang.String cluster, CaCertificatesTypes.CreateSpec spec) method of the CaCertificates interface.
  2. Retrieve a list of configured TPM CA certificates on a Trusted Cluster to identify the trusted platform OEMs by calling the list_Task(java.lang.String cluster) method of the CaCertificates interface.
  3. Remove a TPM CA certificate from a Trusted Cluster because a platform OEM is no longer trusted by calling the delete_Task(java.lang.String cluster, java.lang.String name) method of the CaCertificates interface.
  4. Retrieve details about a specific TPM CA certificate on a Trusted Cluster to get more information about the trusted platform OEM by calling the get_Task(java.lang.String cluster, java.lang.String name) method of the CaCertificates interface.
  5. Add a new TPM endorsement key to a Trusted Cluster to specify a trusted ESXi host by calling the create_Task(java.lang.String cluster, EndorsementKeysTypes.CreateSpec spec) method of the EndorsementKeys interface.
  6. Retrieve a list of configured TPM endorsement keys in a Trusted Cluster to identify the trusted ESXi hosts by calling the list_Task(java.lang.String cluster) method of the EndorsementKeys interface.
  7. Remove a TPM endorsement key from a Trusted Cluster because an ESXi host is no longer trusted by calling the delete_Task(java.lang.String cluster, java.lang.String name) method of the EndorsementKeys interface.
  8. Retrieve details about a specific TPM endorsement key on a Trusted Cluster to get more information about the trusted ESXi host by calling the get_Task(java.lang.String cluster, java.lang.String name) method of the EndorsementKeys interface.
  9. Set the TPM 2.0 attestation settings by specifying that TPM endorsement keys on a Trusted Cluster do not need to be signed because the trusted OEM does not sign endorsement keys by calling the update_Task(java.lang.String cluster, SettingsTypes.UpdateSpec spec) method of the Settings interface.
  10. Determine the TPM 2.0 attestation settings in a Trusted Cluster by calling the get_Task(java.lang.String cluster) method of the Settings interface.