asked on
Cant add TPM device to ESXi 7.3 VM
I'm having a problem setting up TPM on vCenter 7.3, When I try to create or change a VM to add the device Trusted Platform Module, it doesn't show as a device to add. Same problem if I try to create a new VM. When I run the PC Health Check on the W10 VM, it says "TPM 2.0 must be supported and enabled on this machine".
We have 2 ESXi 7.3 hosts on Dell T140 servers. I purchased/added a TPM 2.0 chip on one, set the boot options to Secure Boot-Enabled, TPM Security-On, Intel TXT-On, SHA256. In vCenter (running on the T140 with the TPM), I created and saved a Native Key Provider, then disconnected and connected the 2 ESXi hosts. When I click the vCenter Cluster, Monitor, Security, the Attestation shows Passed for the host with the TPM chip and N/A for the one that doesnt. The W10 VM is on the host with the chip, and is at the latest hardware compatibility.
When I shut down the W10 VM and click Edit Settings, Add Device, I do not see Trusted Platform Module as one of the devices that can be added. Did I skip/miss something?
It does not require a physical TPM device in the host to add a vTPM to the VM.
I've created some tutorial videos on EE of adding a vTPM to a VM and Native Key Provider, these are for vSphere 8.0 but the process is exactly the same for 7.0.
ASKER
I watched the videos yesterday and they were very helpful. I opened a question because I just dont have the device "Trusted Platform Module" like shown in the video, and I cant figure out why. Some other things I've tried/noticed:
- When creating a new VM, on step 4 - Selelct Storage, the checkbox Encrypt this VM (Requires Key Mgt Server) is grayed out. Is there a way to make sure the ESXi hosts are talking to the Native Key Provider I set up? Should I look somewhere for log entries saying if there's a problem?
- When I run esxcli system settings encryption get, I see:
Mode: None
Require Executables Only From Installed VIBs: false
Require Secure Boot: false
Should I do something to change the Mode to TPM? I read it cant be undone so I didnt do anything.
- I have seen prereqs mentioning permissions. I have signed on as root (ESXi) or administrator@MyDomain.loc
- I havent set up a Trust Authority, only a Native Key Provider. It looks like a TA requires another vCenter license, which would be prohibitive. Do I need to do that?
- A week or so ago, when I first started looking at TPM, I created a Native Key Provider and deleted it (w/no backup). This is before I installed the TPM chip, did any other setup or tried to create VMs. Later I created a NKP and backed it up. Could this cause any problems?
Thanks.
There is no requirement to have a hardware TPM chip in the host to support vTPM.
Deleting the Key provider, just means you would not have been able to start VMs which had a vTPM, hence the reason to backup the keys, otherwise if you have a hardware TPM, they are stored and cached in the hardware TPM device.
All these hosts are in a cluster, because vSphere Native Key Provider only operates on ESXi Hosts in a Cluster. If you notice in the video, the second host is moved into the cluster, and later the VM is created in the Cluster via vCenter Server.
ASKER
This will be the issue.
Create a cluster and move the host which does not have vCenter Server hosted on it, as the host will need to have no VMs powered-up because it's in Maintenance Mode.
Do you have vMotion, HA and DRS ?
ASKER
I'm afraid Essentials is just a very basic addition with no HA, DRS or vMotion.
Try Disconnecting the hosts and drag and drop into the Cluster.
This does not stop hosting.
ASKER
ASKER
ASKER
No problems thanks for the kind words and watching the EE videos
VMware-Crypto.jpg