Operational Defect Database
BugZero found this defect 159 days ago.
Data sources
All data on this page is proprietary to BugZero® or gathered from public sources
Hewlett Packard Enterprise | a00136546en_us
Advisory: HPE ProLiant/Synergy Gen10 Servers - TPM Configured as a TPM 2.0 Device Containing Endorsement Key Certificate with Public Key (rsaesOaep) Is Not Supported by OpenSSL Used by VMware ESXi 7.x
Last update date:
12/13/2023
Affected products:
HPE ProLiant DL325 Gen10 server
HPE ProLiant DL360 Gen10 server
HPE ProLiant DL380 Gen10 server
HPE ProLiant DL560 Gen10 server
HPE ProLiant DL580 Gen10 server
HPE ProLiant ML350 Gen10 server
HPE ProLiant XL190r Gen10 Server
HPE Synergy 480 Gen10 Compute Module
HPE Synergy 660 Gen10 Compute Module
Affected releases:
No affected releases provided.
Fixed releases:
No fixed releases provided.
Description:
Info
Any ProLiant Gen10 server or Synergy Gen10 Compute Module with a TPM that has been configured as a 2.0 device in System Configuration (RBSU) containing an endorsement key certificate with public key (rsaesOaep) is not supported by OpenSSL used by VMware ESXi 7.x or earlier. In the host log, the following error will occur: hostd.7:2023-05-25T15:19:15.419Z info hostd[2099610] [Originator@6876 sub=Hostsvc.TpmEventLogProvider] TpmEventLogProvider created hostd.7:2023-05-25T15:19:15.430Z error hostd[2099610] [Originator@6876 sub=Libs] Tpm2Cmd: DictionaryAttackLockReset: (0x921) TPM_RC_LOCKOUT hostd.7:2023-05-25T15:19:15.430Z info hostd[2099610] [Originator@6876 sub=Libs] Tpm2Cmd: Unable to reset the dictionary attack counter hostd.7:2023-05-25T15:19:15.469Z error hostd[2099610] [Originator@6876 sub=Libs] Tpm2Cmd: EK does not match EK certificate by public key content hostd.7:2023-05-25T15:19:15.479Z error hostd[2099610] [Originator@6876 sub=Libs] Tpm2Cmd: NV_ReadPublic: (0x18b) Unknown hostd.7:2023-05-25T15:19:15.479Z info hostd[2099610] [Originator@6876 sub=Libs] Tpm2Cmd: Vendor provided RSA endorsement key template is not present in NV memory. Using default template per TGC spec hostd.7:2023-05-25T15:19:15.490Z error hostd[2099610] [Originator@6876 sub=Libs] Tpm2Cmd: NV_ReadPublic: (0x18b) Unknown hostd.7:2023-05-25T15:19:15.569Z error hostd[2099610] [Originator@6876 sub=Libs] Tpm2Cmd: EK does not match EK certificate by public key content hostd.7:2023-05-25T15:19:15.569Z error hostd[2099610] [Originator@6876 sub=Hostsvc.Tpm20Provider] Unable to provision default rsa endorsement key. hostd.7:2023-05-25T15:19:15.569Z info hostd[2099610] [Originator@6876 sub=Hostsvc.Tpm20Provider] Raised TPM Config Issue: (vim.event.EventEx) { The vCenter Server reports the following message after adding a host with the TPM2.0 feature enabled: "Host attestation is failing."
Scope
Any ProLiant/Synergy Gen10 with TPM configured for 2.0 running VMware ESXi 7.x or earlier.
Resolution
The following workarounds are available: Disable the TPM in the BIOS using RBSU. OR Change the TPM setting in the BIOS from 2.0 to 1.2. This advisory will be updated if additional solutions become available. RECEIVE PROACTIVE UPDATES : Receive support alerts (such as Customer Advisories), as well as updates on drivers, software, firmware, and customer replaceable components, proactively in your e-mail through HPE Support Alerts. Sign up for Support Alerts at the following URL: HPE Email Preference Center. NAVIGATION TIP: For hints on navigating HPE.com to locate the latest drivers, patches and other support software downloads, refer to the Navigation Tips document. SEARCH TIP: For hints on locating similar documents on HPE.com, refer to the Search Tips document.
