The vSphere Trust Authority attestation reporting provides a starting point for troubleshooting Trusted Host attestation errors.
Procedure
- View the Trusted Cluster Attestation Status.
- Use the following table to troubleshoot and resolve errors.
Error Cause and Solution Attestation Services not configured. Attestation Services have not been configured. Configure the Trusted Host to use attestation services by using the Remediate action. See Remediate a Trusted Cluster. No TPM2 device available. Install and configure the Trusted Host to use a Trusted Platform Module (TPM). See your vendor documentation. TPM2 endorsement public key or certificate could not be retrieved. Check that the TPM is supported, and that it has a valid endorsement key. You might need to contact VMware Support. Attestation report is not available. It is possible that the Trusted Host has not finished attestation. Wait a few minutes then recheck the attestation status. Attestation Service version is incompatible with the request. Update the Trust Authority host running the Attestation Service to vSphere 7.0 Update 1 or later. Attestation failed because Secure Boot is not enabled. Check that the Trusted Host is configured to use Secure Boot. See UEFI Secure Boot for ESXi Hosts. Attestation failed to identify the remote software version. Import the Trusted Host's base image information to the Attestation Service. See Import the Trusted Host Information to the Trust Authority Cluster. Attestation failed because a TPM certificate is required. Check that the TPM is supported. Alternatively, run the following PowerCLI cmdlet to modify the com.vmware.esx.attestation.tpm2.settings to set requireCertificateValidation
tofalse
.Set-TrustAuthorityTpm2AttestationSettings -TrustAuthorityCluster TrustedCluster -RequireCertificateValidation:$false -RequireEndorsementKey:$true
Attestation failed due to an unknown TPM. Import the TPM endorsement key to the Attestation Services. See Import the Trusted Host Information to the Trust Authority Cluster. Error: vapi.send.failed. The kmxa service might not be running on the Trusted Host or the kmxa service cannot contact the Attestation Service. Ensure that the kmxa service is started. Also, check that the Attestation Service is running. See Restart the Trusted Host Service.