search
cancel
Search
TPM 2.0 device containing endorsement key certificate with public key (rsaesOaep) are not supported by openssl
book
Article ID: 334591
calendar_today
Updated On:
Products
VMware vSphere ESXi
Show More
Show Less
Issue/Introduction
Symptoms:
vCenter Server reports below message after adding host with TPM2.0 enabled:
Host TPM attestation alarm
In the host summary page of the vCenter UI, you see message similar to:
Unable to provision Endorsement Key on TPM 2.0 device
:
Endorsement key does not match EK certificate.
In the
hostd.log
, you see message similar to:
2017-12-12T08:06:39.020Z info hostd[1001392646] [Originator@6876 sub=Hostsvc.Tpm20Provider] Tpm20Provider created.
2017-12-12T08:06:39.092Z info hostd[1001392646] [Originator@6876 sub=Hostsvc.Tpm20Provider] Preprovisioned endorsement key not found at 0x81010001
2017-12-12T08:06:39.114Z verbose hostd[1001392663] [Originator@6876 sub=PropertyProvider] RecordOp ASSIGN: summary.runtime, ha-root-pool. Sent notification immediately.
2017-12-12T08:06:39.247Z error hostd[1001392646] [Originator@6876 sub=Hostsvc.Tpm20Provider] NV_ReadPublic: (0x18b) Unknown
2017-12-12T08:06:39.247Z info hostd[1001392646] [Originator@6876 sub=Hostsvc.Tpm20Provider] Vendor provided RSA endorsement key template is not present in NV memory. Using default template per TGC spec.
2017-12-12T08:06:39.288Z error hostd[1001392646] [Originator@6876 sub=Hostsvc.Tpm20Provider] NV_ReadPublic: (0x18b) Unknown
2017-12-12T08:06:39.375Z info hostd[1001392646] [Originator@6876 sub=Hostsvc.Tpm20Provider] Could not extract X509 public key.
2017-12-12T08:06:39.376Z error hostd[1001392646] [Originator@6876 sub=Hostsvc.Tpm20Provider] Unable to provision default rsa endorsement key.
Environment
VMware vSphere ESXi 6.7
Resolution
To resolve this issue, perform one of the below:
Disable TPM from BIOS
Switch to TPM 1.2 mode
Additional Information
简体中文:
包含认可密钥证书和公钥 (rsaesOaep) 的 TPM 2.0 设备不受 openssl 支持
Feedback
thumb_up
Yes
thumb_down
No