Trusted Platform Module (TPM) attestation fails due to larger RSA key blobs
search cancel

Trusted Platform Module (TPM) attestation fails due to larger RSA key blobs

book

Article ID: 313226

calendar_today

Updated On:

Products

VMware vSphere ESXi

Issue/Introduction

Symptoms:
TPM attestation failure alarms in VCSA.

TPM Attestation alarm in vCenter will show 'Internal Failure'

ESXi hostd.log found under /var/log will show similar entries after the ESXi host is rebooted:

2024-07-03T13:55:42.097Z info hostd[2102072] [Originator@6876 sub=Solo.Vmomi opID=HB-host-3029@88-398ed55d-SWI-7000e905-3188 user=vpxuser] Throw vim.fault.TpmFault
2024-07-03T13:55:42.097Z info hostd[2102072] [Originator@6876 sub=Solo.Vmomi opID=HB-host-3029@88-398ed55d-SWI-7000e905-3188 user=vpxuser] Result:
--> (vim.fault.TpmFault) {
--> faultMessage = (vmodl.LocalizableMessage) [
--> (vmodl.LocalizableMessage) {
--> key = "vim.vmware.tpm.error.deviceCommand",
--> arg = (vmodl.KeyAnyValue) [
--> (vmodl.KeyAnyValue) {
--> key = "commandName",
--> value = "Create"
--> },
--> (vmodl.KeyAnyValue) {
--> key = "errorCode",
--> value = "(0x80006) TSS2_SYS_RC_INSUFFICIENT_BUFFER"
--> }
--> ],
--> }
--> ],
--> msg = "Create: (0x80006) TSS2_SYS_RC_INSUFFICIENT_BUFFER"
--> }

Environment

VMware vSphere 7.0.x and VMware vSphere 8.0

Cause

Some TPM firmware drivers use larger than supported RSA key blobs. Due to this, some of the attestation APIs fail with error code TSS2_SYS_RC_INSUFFICIENT_BUFFER resulting in attestation alarms in VCSA.

To conform with these larger RSA key blobs, code changes were made in VMware vSphere 7.0U3i and VMware vSphere 8.0P01. Any vSphere versions (with a TPM chip) older than VMware vSphere 7.0U3i and VMware vSphere 8.0P01 using such firmware will fail attestation.

Resolution

To resolve the issue, please upgrade vCenter and ESXi to 7.0U3i (or higher) or 8.0P01 (or higher)

Powered by Wolken Software