I have two new ProLiant DL380 Gen11 servers. After each reboot of the servers I get the following event in HPE OneView:
PCR Measurements Changed, Component Type BIOS PCR Index PCR1
Resolution Configuration change detected in above mentioned component, please verify if firmware version is as expected
Event details
alertTypeID Redfish.iLOEvents.6.5.PCRChanged
correctiveAction Configuration change detected in above mentioned component, please verify if firmware version is as expected
eventTimestamp 2023-12-04T06:22:50Z
ipv4Address xxx
ipv6Address xxxx
lifeCycle false
Redfish.EventId 0399e1af-355a-2ba1-c05c-c2bf5d988e14
Resource /redfish/v1/Managers/1/SecurityService/
resourceID /redfish/v1/Managers/1/SecurityService/
resourceUri /rest/server-hardware/xxx
Hi There,
Thank you for contacting us.
This would require a bit more analysis. We suggest you to log a Support Case with the latest logs on https://support.hpe.com/hpesc/public/home
I work at HPE
HPE Support Center offers support for your HPE services and products when and how you need it. Get started with HPE Support Center today.
[Any personal opinions expressed are mine, and not official statements on behalf of Hewlett Packard Enterprise]
The server is running VMware ESXi 7.0 Update 3o.
I have opened a support case.
The problem seems to be related to the Trusted Platform Module (TPM).
I have now changed the value "Current TPM 2.0 Active PCRs" from
SHA256 and SHA384
to
SHA1 and SHA256
This seems to have fixed the problem.
According to support, VMware ESXi 7.0 cannot handle SHA386. It only works with VMware ESXi 8.0, but there is no document or advisory on this...
Thank you for the update.
We're glad that the issue has been resolved.
Since the issue has been addressed, we'll go ahead and archive the community support case.
I work at HPE
HPE Support Center offers support for your HPE services and products when and how you need it. Get started with HPE Support Center today.
[Any personal opinions expressed are mine, and not official statements on behalf of Hewlett Packard Enterprise]
@MarioE Hi
I see that you have this working now but for others who still have this problem it might be worth testing to also adjust the interface value according to the recommendations of VMware. It seems like your Current TPM 2.0 Software Interface Status is correctly set to FIFO but the documented default value is "No action"
For ESXi 7:
"Ensure that the TPM is configured in the ESXi host's BIOS to use the SHA-256 hashing algorithm and the TIS/FIFO (First-In, First-Out) interface and not CRB (Command Response Buffer). For information about setting these required BIOS options, refer to the vendor documentation."
The settings for Gen11 are documented here:
Moderator [above link is no longer valid, please visit https://support.hpe.com/connect/s/ to find the latest info ]
Current TPM 2.0 Software Interface Status = FIFO
I work for HPE but these are my own findings and they have not been tested.
Regards Hans
[Any personal opinions expressed are mine, and not official statements on behalf of Hewlett Packard Enterprise]
