Enable TPM on ESXi.
Article ID: 393506
Updated On:
Products
VMware vSphere ESXi
Issue/Introduction
This KB introduces the full process of enabling TPM on ESXi.
Resolution
- Check if the TPM chip you are using supports TPM2.0 from Broadcom Compatibility Guide, especially check the BIOS version.
- Put host to maintenance mode. Reboot host.
- Enter Bios. Verify that TPM is enabled.
- If TPM is required to enable 2.0 in step 1, verify that algorithm is set to ONLY SHA256.
- If TPM is required to enable TXT in step 1, verify that Intel TXT is enabled in Bios.
- Create an SSH session to ESXi.
- Run this command to check if all vibs are compatible to secure boot.
/usr/lib/vmware/secureboot/bin/secureBoot.py -cExpected output is:
Secure boot can be enabled: All vib signatures verified. All tardisks validated. All acceptance levels validated - Run this command to check if TPM is visible in ESXi.
esxcli hardware trustedboot getExpected output is:
Drtm Enabled: [true|false] Tpm Present: true- If "Tpm Present" is "false", contact your hardware vendor.
- Run this command to check secure boot status.
esxcli system settings encryption getExpected output is:
Mode: TPM Require Executables Only From Installed VIBs: false Require Secure Boot: true- If "Mode" is "NONE", run this command to set it to "TPM".
esxcli system settings encryption set --mode=TPM - If "Require Secure Boot" is "false", run this command to set it to "true".
esxcli system settings encryption set -s 1
- If "Mode" is "NONE", run this command to set it to "TPM".
- Reboot host.
- The TPM on ESXi should be available now.
Feedback
Yes
No
Powered by
