Host TPM Attestation Alarm: Endorsement Key Provisioning Failure on TPM 2.0 Device

Products

VMware vSphere ESXi

Issue/Introduction

ESXi hosts may display the following alarm:
"Unable to provision Endorsement Key on TPM 2.0 device: Endorsement Key creation failed on device"

This alarm typically appears after ESXi host upgrades or when adding new hosts to the infrastructure. The issue affects the Trusted Platform Module (TPM) 2.0 functionality, which is crucial for host attestation and security features.

Environment

ESXi 7.0 and later versions
Systems with TPM 2.0 hardware
Environments using vCenter Server for host management
TPM attestation failure alerts in vCenter
TPM Platform hierarchy showing as not enabled
TPM Owner hierarchy showing as not enabled
Failed Endorsement Key creation on the TPM 2.0 device
Errors in vmkernel.log related to TPM hierarchy and initialization

Cause

This issue can occur due to several factors:

Secure Boot being disabled in the BIOS settings
TPM module not properly configured in host firmware
Hardware-level TPM chip issues
Recent hardware changes resulting in TPM chip replacement
Incorrect TPM settings in host profiles

Resolution

Diagnostic Procedure

Check BIOS Configuration
1. Access host BIOS settings (procedure varies by hardware vendor)
2. Verify TPM status (Enabled/Disabled)
3. Note current TPM configuration settings
Verify TPM and Host Settings
1. esxcli system settings encryption get
  - This command shows current TPM mode and encryption settings.
  - For interpreting these settings, refer to:
    Manage a Secure ESXi Configuration
Verify Secure Boot Status
1. For checking and configuring Secure Boot:
  - Enable or Disable the Secure Boot Enforcement for a Secure ESXi Configuration
Check vmkernel.log for TPM-related errors
1. grep -i tpm /var/log/vmkernel.log
2. Common error patterns to look for:
  1. "TPM Platform hierarchy is not enabled"
  2. "TPM Owner hierarchy is not enabled"
  3. Error codes like "0x185" or "TPM_RC_HIERARCHY"
Review Recent Changes
1. Confirm if TPM hardware has been replaced
2. Check if recent host profile changes were made
3. Verify if recent firmware updates were applied

Resolution Paths

Based on diagnostic results, follow the appropriate resolution path:

Path 1: BIOS Configuration Issues
If TPM or Secure Boot is not properly configured in BIOS:

Place host in Maintenance Mode
Shut down the host
Enter BIOS configuration
Enable TPM
Specific steps vary by vendor; consult your hardware documentation
Enable Secure Boot
Save and restart
Execute:
1. esxcli system settings encryption set --mode=TPM
2. /bin/backup.sh 0
  For command details, see: Manage a Secure ESXi Configuration

Path 2: TPM Hardware Replacement
If TPM chip has been recently replaced:

Preparation:
1. For ESXi hosts in NSX environment, vSAN clusters, or using virtual distributed switches, consult appropriate documentation for how to remove a host from a cluster/networking
2. Open a case with VMware vendor support if needed
Remove host from vCenter inventory
Re-add host to establish new TPM trust

Path 3: Host Profile Conflicts
If issue appeared after host profile application:

Remove TPM configuration from host profile
Apply modified profile
Manually configure TPM settings following Path 1
See: vSphere Host Profiles

Path 4: Hardware Issues

If diagnostics indicate hardware problems or previous paths fail:

Document current TPM status:
1. esxcli hardware tpm status get
Collect TPM error logs
Open case with hardware vendor providing:
1. TPM status output
2. vmkernel.log errors
3. Recent change history
Request TPM firmware diagnostics

Additional Information

The TPM 2.0 chip is a physical component that provides hardware-based security features
TPM attestation is crucial for maintaining host security and identity verification
Always ensure proper backup procedures before making BIOS or firmware changes
Understanding the VMware vSphere Security Configuration Guide