Host TPM Attestation Alarm: Endorsement Key Provisioning Failure on TPM 2.0 Device
search cancel

Host TPM Attestation Alarm: Endorsement Key Provisioning Failure on TPM 2.0 Device

book

Article ID: 382064

calendar_today

Updated On:

Products

VMware vSphere ESXi

Issue/Introduction

ESXi hosts may display the following alarm:
"Unable to provision Endorsement Key on TPM 2.0 device: Endorsement Key creation failed on device"

This alarm typically appears after ESXi host upgrades or when adding new hosts to the infrastructure. The issue affects the Trusted Platform Module (TPM) 2.0 functionality, which is crucial for host attestation and security features.

Environment

  • ESXi 7.0 and later versions
  • Systems with TPM 2.0 hardware
  • Environments using vCenter Server for host management
  • TPM attestation failure alerts in vCenter
  • TPM Platform hierarchy showing as not enabled
  • TPM Owner hierarchy showing as not enabled
  • Failed Endorsement Key creation on the TPM 2.0 device
  • Errors in vmkernel.log related to TPM hierarchy and initialization

Cause

This issue can occur due to several factors:

  • Secure Boot being disabled in the BIOS settings
  • TPM module not properly configured in host firmware
  • Hardware-level TPM chip issues
  • Recent hardware changes resulting in TPM chip replacement
  • Incorrect TPM settings in host profiles

Resolution

Diagnostic Procedure

  1. Check BIOS Configuration
    1. Access host BIOS settings (procedure varies by hardware vendor)
    2. Verify TPM status (Enabled/Disabled)
    3. Note current TPM configuration settings

  2. Verify TPM and Host Settings
    1. esxcli system settings encryption get
  3. Verify Secure Boot Status
    1. For checking and configuring Secure Boot:
  4. Check vmkernel.log for TPM-related errors
    1. grep -i tpm /var/log/vmkernel.log
    2. Common error patterns to look for:
      1. "TPM Platform hierarchy is not enabled"
      2. "TPM Owner hierarchy is not enabled"
      3. Error codes like "0x185" or "TPM_RC_HIERARCHY"
  5. Review Recent Changes
    1. Confirm if TPM hardware has been replaced
    2. Check if recent host profile changes were made
    3. Verify if recent firmware updates were applied

Resolution Paths

Based on diagnostic results, follow the appropriate resolution path:

Path 1: BIOS Configuration Issues
If TPM or Secure Boot is not properly configured in BIOS:

  1. Place host in Maintenance Mode

  2. Shut down the host

  3. Enter BIOS configuration

  4. Enable TPM
    Specific steps vary by vendor; consult your hardware documentation

  5. Enable Secure Boot

  6. Save and restart

  7. Execute:
    1. esxcli system settings encryption set --mode=TPM
    2. /bin/backup.sh 0
      For command details, see: Manage a Secure ESXi Configuration

Path 2: TPM Hardware Replacement
If TPM chip has been recently replaced:

  1. Preparation:
    1. For ESXi hosts in NSX environment, vSAN clusters, or using virtual distributed switches, consult appropriate documentation for how to remove a host from a cluster/networking
    2. Open a case with VMware vendor support if needed

  2. Remove host from vCenter inventory

  3. Re-add host to establish new TPM trust

Path 3: Host Profile Conflicts
If issue appeared after host profile application:

  1. Remove TPM configuration from host profile

  2. Apply modified profile

  3. Manually configure TPM settings following Path 1
    See: vSphere Host Profiles

Path 4: Hardware Issues

If diagnostics indicate hardware problems or previous paths fail:

  1. Document current TPM status:
    1. esxcli hardware tpm status get

  2. Collect TPM error logs

  3. Open case with hardware vendor providing:
    1. TPM status output
    2. vmkernel.log errors
    3. Recent change history

  4. Request TPM firmware diagnostics

Additional Information

  • The TPM 2.0 chip is a physical component that provides hardware-based security features
  • TPM attestation is crucial for maintaining host security and identity verification
  • Always ensure proper backup procedures before making BIOS or firmware changes
  • Understanding the VMware vSphere Security Configuration Guide