TPM attestation failure alarms in VCSA.

TPM Attestation alarm in vCenter will show 'Internal Failure'

ESXi hostd.log found under /var/log will show similar entries after the ESXi host is rebooted:

[YYYY-MM-DDTHH:MM:SS] info hostd[2102072] [Originator@6876 sub=Solo.Vmomi opID=HB-host-30XX@88-398XX55d-SWI-X000X905-3188 user=vpxuser] Throw vim.fault.TpmFault
[YYYY-MM-DDTHH:MM:SS] info hostd[2102072] [Originator@6876 sub=Solo.Vmomi opID=HB-host-30XX@88-398XX55d-SWI-X000X905-3188 user=vpxuser] Result:
--> (vim.fault.TpmFault) {
--> faultMessage = (vmodl.LocalizableMessage) [
--> (vmodl.LocalizableMessage) {
--> key = "vim.vmware.tpm.error.deviceCommand",
--> arg = (vmodl.KeyAnyValue) [
--> (vmodl.KeyAnyValue) {
--> key = "commandName",
--> value = "Create"
--> },
--> (vmodl.KeyAnyValue) {
--> key = "errorCode",
--> value = "(0x80006) TSS2_SYS_RC_INSUFFICIENT_BUFFER"
--> }
--> ],
--> }
--> ],
--> msg = "Create: (0x80006) TSS2_SYS_RC_INSUFFICIENT_BUFFER"
--> }

Some TPM firmware drivers use larger than supported RSA key blobs. Due to this, some of the attestation APIs fail with error code TSS2_SYS_RC_INSUFFICIENT_BUFFER resulting in attestation alarms in VCSA.

To conform with these larger RSA key blobs, code changes were made in VMware vSphere 7.0U3i and VMware vSphere 8.0P01. Any vSphere versions (with a TPM chip) older than VMware vSphere 7.0U3i and VMware vSphere 8.0P01 using such firmware will fail attestation.

To resolve the issue, please upgrade vCenter and ESXi to 7.0U3i (or higher) or 8.0P01 (or higher)

Japanese version: RSA key BLOB が大きいために、Trusted Platform Module (TPM) の認証が失敗する