• vCenter Server reports the following alarm message after adding an ESXi host with TPM2.0 enabled:
  
  Host TPM attestation alarm
  
  
• In the host summary page of the vCenter UI, the following message will be displayed:
  
  Unable to provision Endorsement Key on TPM 2.0 device: Endorsement key does not match EK certificate.
  
  
• Similar messages appear in the /var/run/log/hostd.log on the ESXi host:
  
  [YYYY-MM-DDTHH:MM:SS]Z info hostd[1001392646] [Originator@6876 sub=Hostsvc.Tpm20Provider] Tpm20Provider created.
[YYYY-MM-DDTHH:MM:SS]Z info hostd[1001392646] [Originator@6876 sub=Hostsvc.Tpm20Provider] Preprovisioned endorsement key not found at 0x81010001
[YYYY-MM-DDTHH:MM:SS]Z error hostd[1001392646] [Originator@6876 sub=Hostsvc.Tpm20Provider] NV_ReadPublic: (0x18b) Unknown
[YYYY-MM-DDTHH:MM:SS]Z info hostd[1001392646] [Originator@6876 sub=Hostsvc.Tpm20Provider] Vendor provided RSA endorsement key template is not present in NV memory. Using default template per TGC spec.
[YYYY-MM-DDTHH:MM:SS]Z error hostd[1001392646] [Originator@6876 sub=Hostsvc.Tpm20Provider] NV_ReadPublic: (0x18b) Unknown
[YYYY-MM-DDTHH:MM:SS]Z info hostd[1001392646] [Originator@6876 sub=Hostsvc.Tpm20Provider] Could not extract X509 public key.
[YYYY-MM-DDTHH:MM:SS]Z error hostd[1001392646] [Originator@6876 sub=Hostsvc.Tpm20Provider] Unable to provision default rsa endorsement key.

The Public Key Info OID for the Endorsement Key (EK) in the physical TPM chip on the host's system board is id-RSAES-OAEP instead of rsaEncryption.  VMware ESXi uses OpenSSL, and OpenSSL does not support using rsaesOaep Endorsement Keys in TPM chips.

To resolve this issue, perform one of the below:

1. Disable TPM from BIOS
2. Switch from TPM 2.0 to TPM 1.2 mode
3. Contact hardware vendor for replacement hardware containing TPM chip with correct certificate.