vSphere Client Displays "Host TPM attestation alarm" for ESXi Hosts
search cancel

vSphere Client Displays "Host TPM attestation alarm" for ESXi Hosts

book

Article ID: 369525

calendar_today

Updated On:

Products

VMware vCenter Server 8.0 VMware vSphere ESXi 8.0

Issue/Introduction

  • Following an installation or upgrade to ESXi 8.0 or higher, the following symptoms are observed:

    • A "Host TPM attestation" alarm is triggered in the vSphere UI.

    • The alarm appears even if a Trusted Platform Module (TPM) is not actively utilized in the environment.

    • This condition is typically observed when Secure Boot is disabled on the ESXi host hardware.

  • The message appears as:



  • When viewing the affected host in the vSphere Client, navigating to Monitor > Triggered Alarms displays the following active alarm:"

         

  • A review of the /var/log/vmware/vpxd/vpxd.log file in vCenter server reveals the following warning message

          YYYY-MM-DDTHH:MM:SS info vpxd[3424929] [Originator@6876 sub=Attestation opID=#####@148-4337f1da-WorkQueue-#####] VIB TAR Decompress: decompression of /tmp/vmware-vpxd/3424929.host-#####.boot_imgdb.tgz to /tmp/vmware-vpxd/#####.host-#####.boot_imgdb.tar took 1 ms

          YYYY-MM-DDThh:mm:SS warning vpxd[3424929] [Originator@6876 sub=Default opID=#####@148-4337f1da-WorkQueue-#####] TPM2VLIB: Secure Boot Disabled

          YYYY-MM-DDTHH:MM:SS warning vpxd[3424929] [Originator@6876 sub=Attestation opID=#####@148-4337f1da-WorkQueue-#####] Failed to update integrity report; [vim.HostSystem:host-#####,<host fqdn>], 24TpmVerificationException(error: 0x7, internal error: 0)

Environment

 

 

Cause

The Host TPM attestation alarm can be triggered due to several reasons. The causes listed below explain why permanent solutions (such as enabling Secure Boot or turning off the alarm) and temporary fixes (such as disconnecting and reconnecting the host) work in different situations.

  1. Secure Boot Disabled: The primary cause is that the vCenter Server detects that Secure Boot is disabled on the ESXi host. This alarm is part of VMware's enhanced security features but may not be relevant in all environments, particularly those where hardware limitations prevent the use of Secure Boot.
  2. Data Synchronization Issues: The alarm can also trigger if the communication between the ESXi host and vCenter Server gets out of sync. This typically happens because of temporary issues like network glitches, server restarts, or brief connection drops.

Resolution

Follow these steps to verify and resolve TPM attestation alarms in vSphere.

Verify Secure Boot Status

  1. Log in to the ESXi host via SSH as root and run the following command to check the current status: /usr/lib/vmware/secureboot/bin/secureBoot.py -s

    1. Enabled: If the output shows Secure Boot is enabled, skip to "If Secure Boot is already enabled" section
    2. Disabled: If the output shows Secure Boot is disabled, proceed to the next step.

Check Compatibility

  1. If Secure Boot is disabled, verify if the host meets the requirements to enable it: /usr/lib/vmware/secureboot/bin/secureBoot.py -c
    1. If the output confirms it can be enabled: Proceed to the next step
    2. If the output shows it cannot be enabled: Skip to "If secure boot cannot be enabled" section

Enable Secure Boot via Hardware BIOS 

If the host is compatible, follow the below steps to enable Secure Boot:

  1. Reboot the ESXi host and access the BIOS/UEFI settings.
  2. Locate the Secure Boot option (usually under the Boot or Security tabs).
  3. Set Secure Boot to Enabled.
  4. Save changes and exit.
  5. Boot into ESXi and verify the alarm is cleared.

If Secure Boot is Already Enabled (Alarm Persists)

If the alarm is active despite Secure Boot being enabled, refresh the connection to vCenter:

  1. In the vSphere Client, navigate to Hosts and Clusters.
  2. Right-click the affected host and select Connection > Disconnect.
  3. Once disconnected, right-click the host and select Connection > Connect.
  4. After the host reconnects, navigate to the Monitor tab > Issues and Alarms
  5. Select the Triggered Alarms view, right-click the TPM alarm, and select Reset to Green.

If Secure Boot Cannot Be Enabled

If the hardware does not support Secure Boot, suppress the alarm at the vCenter level:

  1. Log in to the vSphere Client.
  2. Navigate to the affected host 
  3. Go to the "Monitor" tab and select "Issues".
  4. Select the TPM attestation alarm.
  5. Right-click on the alarm and select "Reset to Green".

Note: After applying any of these solutions, monitor the vSphere UI for 24 hours to confirm that the alarm is no longer triggered.

Additional Information

  • Disabling the TPM attestation alarm does not affect the security of your environment if you're not utilizing TPM-based features.
  • You can re-enable the alarm in the future if you implement TPM-based security features in your environment.
  • The disconnect/reconnect and alarm reset steps may provide a temporary fix by forcing the ESXi host and vCenter Server to resynchronize their data. If the alarm reoccurs frequently, consider the more permanent solutions or investigate potential network or communication issues between your ESXi hosts and vCenter Server.

 

Powered by Wolken Software