TPM 2.0 verification failure due to missing image profile leading to Host attestation alarm on vCenter server
search cancel

TPM 2.0 verification failure due to missing image profile leading to Host attestation alarm on vCenter server

book

Article ID: 415173

calendar_today

Updated On:

Products

VMware vCenter Server

Issue/Introduction

Receiving alarm in vCenter: Host TPM Attestation Alarm



Checking the hosts in CLI using commands returns:

esxcli system settings encryption get

   Mode: TPM
   Require Executables Only From Installed VIBs: false
   Require Secure Boot: true

Environment

vSphere 7.x

vSphere 8.x

Cause

Image profile size used is larger than the current vCenter image size leading to the issue.

 

/var/log/vmware/vpxd/vpxd.log 

<timestamp> info vpxd[06091] [Originator@6876 sub=Attestation opID=ma###7n-####-auto-fkba-h5:######-5b-WorkQueue-59####35] VIB TAR Decompress: decompression of /tmp/vmware-vpxd/####.host-####.boot_imgdb.tgz to /tmp/vmware-vpxd/####.host-####.boot_imgdb.tar took 4 ms

<timestamp> warning vpxd[06091] [Originator@6876 sub=Default opID=ma###7n-####-auto-fkba-h5:######-5b-WorkQueue-59####35] TPM2VLIB: Failed to find filename: var/db/esximg/profiles/PROFILENAME in ESX VIB metadata

<timestamp> warning vpxd[06091] [Originator@6876 sub=Default opID=ma###7n-####-auto-fkba-h5:######-5b-WorkQueue-59####35] TPM2VLIB: Failed to get image profile buffer

<timestamp> warning vpxd[06091] [Originator@6876 sub=Attestation opID=ma###7n-####-auto-fkba-h5:######-5b-WorkQueue-59####35] Failed to update integrity report; [vim.HostSystem:host-####,HOSTNAME], 24TpmVerificationException(error: 0x1, internal error: 6)

Resolution

A fix will be implemented in upcoming releases. In the interim, please disregard the alarm if TPM attestation feature is not used. 

Powered by Wolken Software