ESXi hosts can use Trusted Platform Modules (TPM) chips, which are secure cryptoprocessors that enhance host security by providing a trust assurance rooted in hardware as opposed to software.
What Is a TPM
TPM is an industry-wide standard for secure cryptoprocessors. Today, TPM chips are found in most computers, from laptops, to desktops, to servers. vSphere 6.7 and later supports TPM version 2.0.
A TPM 2.0 chip attests to an ESXi identity of a host. Host attestation is the process of authenticating and attesting to the state of the software on a host at a given point in time. UEFI secure boot, which ensures that only signed software is loaded at boot time, is a requirement for successful attestation. The TPM 2.0 chip records and securely stores measurements of the software modules booted in the system, which vCenter Server remotely verifies.
The high-level steps of the remote attestation process are:
- Establish the trustworthiness of the remote TPM and create an Attestation Key (AK) on it.
When an ESXi host is added to, rebooted from, or reconnected to vCenter Server, vCenter Server requests an AK from the host. Part of the AK creation process also involves the verification of the TPM hardware itself, to ensure that a known (and trusted) vendor has produced it.
- Retrieve the Attestation Report from the host.
vCenter Server requests that the host sends an Attestation Report, which contains a quote of Platform Configuration Registers (PCRs), signed by the TPM, and other signed host binary metadata. By checking that the information corresponds to a configuration it deems trusted, a vCenter Server identifies the platform on a previously untrusted host.
- Verify the authenticity of the host.
vCenter Server verifies the authenticity of the signed quote, infers the software versions, and determines the trustworthiness of said software versions. If vCenter Server determines the signed quote is invalid, remote attestation fails and the host is not trusted.
What Are the vSphere Requirements to Use a TPM
To use a TPM 2.0 chip, your vCenter Server environment must meet these requirements:
- vCenter Server 6.7 or later
- ESXi 6.7 host or later with TPM 2.0 chip installed and enabled in UEFI
- UEFI Secure Boot enabled
Ensure that the TPM is configured in the BIOS of the ESXi host to use the SHA-256 hashing algorithm and the TIS/FIFO (First-In, First-Out) interface and not CRB (Command Response Buffer). For information about setting these required BIOS options, refer to the vendor documentation.
Review the TPM 2.0 chips certified by VMware at the following location:
What Happens When You Boot a Host with a TPM
When you boot an ESXi host with an installed TPM 2.0 chip, vCenter Server monitors the attestation status of the host. To view the hardware trust status, in the vSphere Client, select the vCenter Server, then the Summary tab under Security. The hardware trust status is one of the following:
- Green: Normal status, indicating full trust.
- Red: Attestation failed.
With vSphere 7.0 and later, VMware® vSphere Trust Authority™ uses remote attestation capabilities for ESXi hosts. See What Is the vSphere Trust Authority Attestation Service.
View ESXi Host Attestation Status
When added to an ESXi host, a Trusted Platform Module 2.0 compatible chip attests the integrity of the platform. You can view the attestation status of the host in the vSphere Client. You can also view the Intel Trusted Execution Technology (TXT) status.
- Connect to vCenter Server by using the vSphere Client.
- Navigate to a data center and click the Monitor tab.
- Click Security.
- Review the host's status in the Attestation column and read the accompanying message in the Message column.
- If this host is a Trusted Host, see View the Trusted Cluster Attestation Status for more information.
What to do next
Troubleshoot ESXi Host Attestation Problems
When you install a Trusted Platform Module (TPM) device on an ESXi host, the host might fail to pass attestation. You can troubleshoot the potential causes of this problem.
- View the ESXi host alarm status and accompanying error message. See View ESXi Host Attestation Status.
- If the error message is Host secure boot was disabled, you must re-enable secure boot to resolve the problem.
- If the attestation status of the host is failed, check the vCenter Server vpxd.log file for the following message:
No cached identity key, loading from DBThis message indicates that you are adding a TPM 2.0 chip to an ESXi host that vCenter Server already manages. You must first disconnect the host, then reconnect it. See vCenter Server and Host Management documentation for information about disconnecting and reconnecting hosts.For more information about vCenter Server log files, including location and log rotation, see the VMware knowledge base article at https://kb.vmware.com/s/article/1021804.
- For all other error messages, contact Customer Support.