TPM 2.0 device containing endorsement key certificate with public key (rsaesOaep) are not supported by openssl
search cancel

TPM 2.0 device containing endorsement key certificate with public key (rsaesOaep) are not supported by openssl

book

Article ID: 334591

calendar_today

Updated On:

Products

VMware vSphere ESXi VMware vSphere ESXi 7.0 VMware vSphere ESXi 6.0 VMware vSphere ESXi 8.0

Issue/Introduction

Symptoms:

  • vCenter Server reports below message after adding host with TPM2.0 enabled:

Host TPM attestation alarm

  • In the host summary page of the vCenter UI, you see message similar to:

Unable to provision Endorsement Key on TPM 2.0 device: Endorsement key does not match EK certificate.

  • In the hostd.log, you see message similar to:

 [YYYY-MM-DDTHH:MM:SS]Z info hostd[1001392646] [Originator@6876 sub=Hostsvc.Tpm20Provider] Tpm20Provider created.
 [YYYY-MM-DDTHH:MM:SS]Z info hostd[1001392646] [Originator@6876 sub=Hostsvc.Tpm20Provider] Preprovisioned endorsement key not found at 0x81010001
 [YYYY-MM-DDTHH:MM:SS]Z verbose hostd[1001392663] [Originator@6876 sub=PropertyProvider] RecordOp ASSIGN: summary.runtime, ha-root-pool. Sent notification immediately.
 [YYYY-MM-DDTHH:MM:SS]Z error hostd[1001392646] [Originator@6876 sub=Hostsvc.Tpm20Provider] NV_ReadPublic: (0x18b) Unknown
 [YYYY-MM-DDTHH:MM:SS]Z info hostd[1001392646] [Originator@6876 sub=Hostsvc.Tpm20Provider] Vendor provided RSA endorsement key template is not present in NV memory. Using default template per TGC spec.
 [YYYY-MM-DDTHH:MM:SS]Z error hostd[1001392646] [Originator@6876 sub=Hostsvc.Tpm20Provider] NV_ReadPublic: (0x18b) Unknown
 [YYYY-MM-DDTHH:MM:SS]Z info hostd[1001392646] [Originator@6876 sub=Hostsvc.Tpm20Provider] Could not extract X509 public key.
 [YYYY-MM-DDTHH:MM:SS]Z error hostd[1001392646] [Originator@6876 sub=Hostsvc.Tpm20Provider] Unable to provision default rsa endorsement key.

Environment

VMware vSphere ESXi 6.7
VMware vSphere ESXi 8.x
VMware vSphere ESXi 7.x

Resolution

To resolve this issue, perform one of the below:
  1. Disable TPM from BIOS
  2. Switch to TPM 1.2 mode


Powered by Wolken Software