I know this is an old thread but i just had this issue today and with a bunch of DL380 Gen11 and an Alletra 6k (6030) which had been "factory setup".
(We didnt do anything to the DL Compute nodes apart from racking the up and plugging them in - we assumed since that whole PCBE bundle was set up by the factory, things just work) - well ... assumptions in It don't go far
The errors were:
- vCenter Alarms/Warnings like :
"Host TPM attestation alarm" or ""Unable to acquire ownership of TPM 2.0 device. Please clear TPM through the BIOS."
- Enabling Secure Boot in BIOS/RBSU leads to an ESX Pink Screen of death
It took me a whole day but I resolved it like this:
- I first checked whether this ESX host was even capable of "Secure Boot" (which is a requirement of vSpheres TPM usage afaik) via SSH:
> /usr/lib/vmware/secureboot/bin/secureBoot.py -c
Secure boot CANNOT be enabled:
Failed to verify signatures of the following vib(s): [HPE-Storage-Connection-Service HPE-Storage-psp].
All tardisks validated. All acceptance levels validated.
Which i've already seen on the Pink Screen, so i tried BoonL's suggestion. - So i downloaded HPE-Storage-Connection-Manager-for-VMware-7.0-7.0.2-700014.zip from https://infosight.hpe.com/ (Software Downloads), but not without checking the actual installed vibs with:
> esxcli software vib list | grep HPE-Storage
HPE-Storage-Connection-Service 7.0.2-700014 HPE VMwareAccepted 2024-08-23 host
HPE-Storage-psp 7.0.2-700014 HPE VMwareAccepted 2024-08-23 host
So the (factory preinstalled) version was 7.0.2-700014 ... strange - thats the current version. - Anyways - again thanks to BoonL - i just uploaded that zip to a datastore and uninstalled and reinstalled the VIBs:
esxcli software vib remove --vibname=HPE-Storage-Connection-Service
esxcli software vib remove --vibname=HPE-Storage-psp
esxcli software vib install --depot=<full_path_to_file>/HPE-Storage-Connection-Manager-for-VMware-7.0-7.0.2-700014.zip
Since no reboot was necessary, i checked again
> /usr/lib/vmware/secureboot/bin/secureBoot.py -c
Secure boot CAN be enabled.
All vibs validated. All tardisks validated. All acceptance levels validated.
Maybe someone with more knowledge than me can explain this.
Anyways, now i was able to enable "Secure Boot" in RBSU and the ESXi booted up nicely, albeit the vCenter errors were still there.
The Security Monitor on Datacenter level still read "Internal Error" ... **bleep**. - Many hours, trips to RBSU and reboots later i've stumbled across the RBSU Advanced TPM settings "TPM Storage Hierarchy" and "TPM Endorsement"
and i remembered some *cough*competitors*cough* KB article about "TPM history" - how they called it ..
I gave it a try and enabled both of them (dunno whether thats necessary). - This didn't instantly remediate the issue, but the vcenter logs at least didn't complain about "Internal Error".
The last thing that we needed to do is to rediscover some TPM magick by just disconnecting and reconnecting the questionable host.
Afterwards the errors/alarms/warnings were gone and the security state was "TPM attestation: passed"
I cannot explain, why this left the factory like this - imagine this system would have been shipped directly to the customer .... Big Frustration incoming !
Anyway .. maybe this helps someone in the future
TLDR:
- Reinstall SCM VIB (from infosight) on ESXi host (in maintenance mode)
- Reboot and enter RBSU
- Enable in RBSU: "Secure Boot", "TPM Endorsement", "TPM Storage Hierarchy", Save and Exit, then reboot
- When visible in vCenter, "Disconnect" and "Connect" the host
- Clear TPM alarms
- Move on
