HPE Community
HPE SimpliVity
1837618 Members
3240 Online
110117 Solutions
New Discussion

Betreff: ESX 9 "Unable to acquire ownership of TPM 2.0 device on HPE DL380 Gen11 serv

 
SOLVED
Go to solution
NZamp
Valued Contributor

‎06-19-2023 12:03 AM - last edited on ‎06-20-2023 02:33 AM by

‎06-19-2023 12:03 AM - last edited on ‎06-20-2023 02:33 AM by

Secure Boot

Hello guys,

i have a pair of new SimpliVity nodes deployed at a customer site. Now i get the error "Host TPM attension alarm".

Normaly i would acitvate Secure boot and all the TPM stuff needed but i´m unsure if this can also be done withe the SimpliVity nodes or if this isn´t supported.

i´ve found the following:

https://community.hpe.com/t5/hpe-simplivity/secure-boot-with-simplivity/m-p/7170783#M3429

but the answers is one time YES and one time NO so this doesn´t clarify the problem

So what is true?

 

Best regards,

Nick

0 Kudos
Reply
5 REPLIES 5
FabrizioDV
Advisor

‎06-20-2023 12:29 AM

‎06-20-2023 12:29 AM

Solution

Rif.: Secure Boot

 

 

from this document : HPE OmniStack 4.2.0 for vSphere Release Notes.pdf

link : https://support.hpe.com/hpesc/public/docDisplay?docLocale=en_US&docId=a00131390en_us 

 

 
 

image.png

 

 

image.png

 

 

Reply
NZamp
Valued Contributor

‎06-20-2023 03:56 AM

‎06-20-2023 03:56 AM

Rif.: Secure Boot

Hello Fabrizio,

secure boot is not supported, got it

Thanks for clarifying answer.

 

Best regards,

Nick

Reply
Sunitha_Mod
Honored Contributor

‎06-20-2023 10:09 PM

‎06-20-2023 10:09 PM

Rif.: Secure Boot

Hello Nick, 

We are glad to know your concern has been addressed. 

0 Kudos
Reply
Matt4istal
Established Member

Sunday

Sunday

ESX 9 "Unable to acquire ownership of TPM 2.0 device on HPE DL380 Gen11 server solution.

VMware ESX 9 "Unable to acquire ownership of TPM 2.0 device. Please clear TPM through the BIOS." on HPE DL380 Gen11 server solution.
The solution was a 4-step process in the HPE DL380 Gen11 server BIOS. The configuration steps that fixed the TPM issue with VMware in this case were as follows:

Step 1 – Enable Secure Boot in System Configuration > BIOS/Platform Configuration (RBSU) > Server Security.
Reboot server.
Step 2 – Enable the following Advanced Trusted Platform Module Options in System Configuration > BIOS/Platform Configuration (RBSU) > Server Security > Trusted Platform Module Options
• TPM UEFI Option ROM Measurement: Default = Disabled --> Change to Enabled
• TPM 2.0 Endorsement Hierarchy: Default = Disabled --> Change to Enabled
• TPM 2.0 Storage Hierarchy: Default = Disabled --> Change to Enabled
Reboot server.
Step 3 – Clear the TPM in System Configuration > BIOS/Platform Configuration (RBSU) > Server Security > Trusted Platform Module Options > TPM 2.0 Operation
Step 4 – Perform a Cold Boot of server (full power off and back on) to clear the TPM.

After performing these 4 steps, the TPM attestation alert message was cleared in vCenter on the ESX 9 hosts. (Note: Also have to disconnect / reconnect each host to vCenter since the TPM settings were changed on hosts that were already joined to vCenter in order to clear attestation failed messages that were in the "Cluster -> Security" menu).

0 Kudos
Reply
egoqed
Advisor

4 hours ago

4 hours ago

Betreff: ESX 9 "Unable to acquire ownership of TPM 2.0 device on HPE DL380 Gen11 serv

Maybe to add an update here:

Prerequisites to enable Secure Boot enforcement

Secure Boot enforcement can be enabled on an HPE SimpliVity node where:

  • TPM2.0 is configured on the HPE SimpliVity Server.
  • Nodes are either deployed or upgraded to HPE SimpliVity 5.2.0 or higher.
  • HPE SimpliVity Server firmware must be at a minimum version of 2024.0930.02 on Gen11 servers, and at a minimum version of 2024.0930.03 on Gen10 servers.

Secure Boot is supported on all platforms and all hypervisors that are supported by HPE SimpliVity 5.2.0 or higher releases.

The factory shipped servers continue to have the secureboot BIOS setting disabled, and it can be enabled only after successful deployment. If a secure boot enabled server needs to be redeployed, disable the secureboot BIOS setting first, otherwise the server might not boot into the deploy-installer USB image.

0 Kudos
Reply
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.