Re: OV 8.70, Gen11 server, PCR Measurements Changed, Component Type BIOS PCR Index PCR13

pirx · ‎01-11-2024

I did setup a few DL380Gen11 server a few weeks ago and did not get this warning. Now I've a few new DL320Gen11 and I've updates OV to v8.70 last week. I've update the firmwares of the server now.

I found this post PCR Measurements Changed, Component Type BIOS PCR ... - Hewlett Packard Enterprise Community (hpe.com)

The warning is triggered after each reboot (maybe power cycle) even without OS installed. What is the ToDo to make clear this permanently ?

PCR Measurements Changed, Component Type BIOS PCR Index PCR13

1/11/24 6:52:43 pm

15 minutes ago

Active

unassigned

Resolution

Configuration change detected in above mentioned component, please verify if firmware version is as expected

Notes

Event details

alertTypeID
Redfish.iLOEvents.6.5.PCRChanged
correctiveAction
Configuration change detected in above mentioned component, please verify if firmware version is as expected
eventTimestamp
2024-01-11T17:52:38Z
ipv4Address
10.24.249.11
ipv6Address
fe80:0:0:0:5eed:8cff:fead:5466
lifeCycle
false
Redfish.EventId
6dd9de92-dbe3-6bae-9c14-350a738d2d86
Resource
/redfish/v1/Managers/1/SecurityService/
resourceID
/redfish/v1/Managers/1/SecurityService/
resourceUri
/rest/server-hardware/37323550-3636-5A43-4A44-303530313250

Kashyap02 · ‎01-15-2024

Hello,

Refer to the advisory. Advisory: HPE Integrated Lights-Out 6 (iLO 6) - "PCR Measurements Changed" Critical Error Message Displayed in HPE OneView

This is a known issue and will be resolved in future version of ILO firmware.

I am a HPE Employee.
[Any personal opinions expressed are mine, and not official statements on behalf of Hewlett Packard Enterprise]

Accept or Kudo

pirx · ‎01-15-2024

@Kashyap02

Ok, thanks. One thing that I still dont understand... according to RBSU Common options | UEFI System Utilities User Guide for HPE ProLiant Gen11 Servers, and HPE Synergy the TpmActivePcrs should be set to "Not Specified". Then why is it set to Sha256Sha384?

TpmActivePcrs Server Security/TPM Options

Not Specified (default)

[Moderator edit: Updated the link. You may refer to https://support.hpe.com/]

Kashyap02 · ‎01-21-2024

Hello,

Configuring Trusted Platform Module (TPM) options | UEFI System Utilities User Guide for HPE ProLiant Gen11 Servers, and HPE Synergy

Current TPM 2.0 Active PCRs: When the PCR banks are switched, the algorithm used to compute the hashed values stored in the PCRs during extend operations is changed. Options are:
- SHA1 only
- SHA256 only
- SHA384 only
- SHA1 and SHA256
- SHA256 and SHA384

[Moderator edit. Updated the working link. You also refer to https://support.hpe.com/]

I am a HPE Employee.
[Any personal opinions expressed are mine, and not official statements on behalf of Hewlett Packard Enterprise]

Accept or Kudo

pirx · ‎01-21-2024

@Kashyap02 Sorry, but I don't get the context of your answer. My question was:

Then why is it set to Sha256Sha384?

When documentation contains:

TpmActivePcrs Server Security/TPM Options

Not Specified (default)

The first time I check this setting in RBSU it was Sha256Sha384. So is this the default or did it change to that from Not Specified because of some reason?

Kashyap02 · ‎01-26-2024

Hello.

@Prix

I have verified many servers in our lab. The TPM 2.0 Active PCRs are set to SHA256 and SHA384 on DL320 Gen11 servers.
Looks like this is the default value which is set on these servers.

We do see "Not Specified" option, but that is not selected as default.

Refer to the below screenshots.

I am a HPE Employee.
[Any personal opinions expressed are mine, and not official statements on behalf of Hewlett Packard Enterprise]

Accept or Kudo

pirx · ‎01-26-2024

@Kashyap02 yes, I expected that. But then documentation is wrong.

Kashyap02 · ‎01-26-2024

Looks like it. I will definitely provide a feedback to the concerned team.
Thank you for highlighting this.

I am a HPE Employee.
[Any personal opinions expressed are mine, and not official statements on behalf of Hewlett Packard Enterprise]

Accept or Kudo

NJK-Work1 · ‎03-15-2024

So what is the fix for this? I just updated to 1.57 (released end of Feb 2024) on a test machine and I am still getting these errors. Is the fix still in the works for a future iLO firmware update or should be changing the settings in the UEFI to prevent that - if so, then what settings?

Thanks

NJK

NJK-Work1 · ‎03-15-2024

I did notice that the AlertID changed from "Redfish.iLOEvents.6.5.PCRChanged" (6.5) to "Redfish.iLOEvents.6.6.PCRChanged" (6.6). Not sure if that is circumvententing the previous fix...but figured I would mention it.

NJK

aireynol · ‎03-25-2024

When can we expect the updated iLO firmware to address this? I am already tired of having to clear this error after every reboot.

NJK-Work1 · ‎04-29-2024

As best I can tell, setting the "Current TPM 2.0 Active PCRs" to "Not Specified" DOES fix the problem of generating the alerts in OneView on reboot. However, I have no idea what this setting is used for or the ramifications are for changing it. So I am not suggesting anyone do with this without doing your own research first and test first before implementing on production systems. I can just tell you it works for me and did not cause any problems (yet) in my environment.

The problem comes in when you do an iLO update. It appears the iLO firmware update resets this value back to "SHA256 and SHA384" which then causes the alerts to start happening again. I had clean reboots for several days after setting it to "Not Specified" and then I updated the iLO to 1.59 and the alerts came back. When I checked the setting, it had switched back to "SHA256 and SHA384" . I changed it back to "Not Specified" and the alerts went away.

Thus my conclusion is:

The documentation is correct in that the default value is "Not Specified".
It is the process of doing an iLO update that changes this value to something other than the default of "Not Specified" causing the alerts.

Hope this helps others.

NK

ACampbell1 · ‎11-14-2024

Hi, i currently have the same alerting issue in OneView but i cannot set the TMP PCR's to Not Specified as it is NOT an option.

Please advise.

Thanks

Angelo

quesnl · ‎02-04-2025

Did anybody get this issue resolved ? I am stil getting this alert on evry reboot on any GEN 11 servers.

Categories

Company

Local Language

Forums

Discussions

Forums

Discussions

Forums

Discussions

Forums

Discussions

Forums

Discussions

Discussions

Forums

Forums

Discussions

Forums

Discussions

Forums

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Community

Resources

Other HPE Sites

Discussions

Forums

Blogs

Re: OV 8.70, Gen11 server, PCR Measurements Changed, Component Type BIOS PCR Index PCR13

OV 8.70, Gen11 server, PCR Measurements Changed, Component Type BIOS PCR Index PCR13