vCenter Server 遇到 TPM 問題解決

安裝好 ESXi 8 之後,遇到 “TPM 2.0 device detected but a connection cannot be established.” 或 “TPM Encryption Recovery Key Backup” 這個錯誤。

只好先看看 TPM 是怎麼運作?可以參考「vSphere 6.7 – ESXi and TPM 2.0」這篇文章。我很懶惰我直接看「Securing ESXi Hosts with Trusted Platform Module」的影片,大概了解之後就開始硬幹設定。

首先,需要把 UEFI TPM 開啟並使用 Secure Boot。不同的系統有不同開啟方式,就略過說明。

然後再參考:「Enable or Disable the Secure Boot Enforcement for a Secure ESXi Configuration」就算是能順利解決了。

以下是我的筆記:

登入 ESXi 查看狀態:

[root@liho:~] esxcli system settings encryption get
   Mode: TPM
   Require Executables Only From Installed VIBs: false
   Require Secure Boot: false

如果 Mode 出現 NONE,那就要設定模式為 TPM:

[root@liho:~] esxcli system settings encryption set --mode=TPM

之後 設定要求使用 Secure Boot,然後順便檢查是否設定好了:

[root@liho:~] esxcli system settings encryption set --require-secure-boot=T
[root@liho:~] esxcli system settings encryption get
   Mode: TPM
   Require Executables Only From Installed VIBs: false
   Require Secure Boot: true

沒問題之後儲存設定:

[root@liho:~] /sbin/auto-backup.sh
Bootbank lock is /tmp/xxxxxxxxx-xxxxxx-xxxx-xxxx.lck
Saving current state in /bootbank
Creating ConfigStore Backup
Locking esx.conf
Creating archive
Unlocked esx.conf
Using key ID xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxx to encrypt
Clock updated.
Time: 02:02:38   Date: 12/02/2022   UTC
[root@liho:~]

然後在 vCenter Server 就不會再有警告了:)

如果要關閉就執行下列指令並儲存:

[root@liho:~] esxcli system settings encryption set --require-secure-boot=F
[root@liho:~] /sbin/auto-backup.sh