How to Fix “Host TPM Attestation Alarm” in VMware? [2024]
- Host Attestation in vSphere verifies the integrity of the host system to ensure it hasn't been tampered with, creating a secure environment for Virtual Machines (VMs).
- The "Host TPM Attestation Alarm" typically arises from issues with the physical TPM 2.0 chip, often due to incorrect UEFI settings or adding a new TPM chip.
- To fix this error, ensure Secure Boot is enabled, TPM settings are correct, and vCenter Server/ESXi versions are updated; disconnecting and reconnecting the host from vCenter can also resolve the issue if a new TPM was added.
In VMware or more particularly, vSphere, you might encounter an error reading “Host TPM Attestation Alarm“. If you just set up a new TPM 2.0 chip in your host system, it can be confusing as to why you’re seeing this message. In this guide, we’ll discuss what Host Attestation means and how you can fix this problem.
Table of Contents
What is Host Attestation?
In simple terms, Host Attestation verifies the integrity of your computer (the host) on which various Virtual Machines are running through vSphere. This ensures that the system has not been tampered with and offers a safe environment for the VMs on it. Consider how you (the VM) would want your house (the host) to be secure.
A report containing vital data regarding your system is created and used to identify against known or expected values to see if the host is trustworthy. This becomes indispensable in server environments where data worth billions of dollars is being fed into remote machines, and you’d want to make sure these machines are trusted.
Typically, TPM is not required in vSphere. Each VM in a vSphere environment uses a vTPM (Virtual TPM), to ensure security at the grassroots level. You don’t need a physical TPM to use vTPM. A vTPM allows the use of services like BitLocker per each VM separately.
The “Host TPM Attestation Alarm” issue occurs because of the physical TPM. This could be due to many reasons; adding a new TPM chip, insufficient TPM hardware, incorrect UEFI settings, or vSphere/vCenter version.
READ MORE: PTT vs TPM: Microsoft’s Security Effort for Windows 11 ➜
How to Fix “Host TPM Attestation Alarm”?
Luckily for us, fixing the Host TPM Attestation Alarm is not that difficult. First, we need to find the root cause of the problem. To do so, we can either view the respective error message or go through the logs.
- Connect to the vCenter Server.
- Select a data center and go to the “Monitor” tab.
- Under “Performance“, click on “Security“.
- Locate the machine that is facing this issue and check the error message in the “Message” column. (Credits: VMware)
- If the message says, “Host secure boot was disabled“, then follow Step 1 below to enable Secure Boot from your UEFI settings. If the “Attestation” column simply states “Failed“, then you’ll have to check the vCenter Server log files. For more information regarding log files, follow this guide.
- Once you’ve found the vpxd.log file, check to see if it contains the log, “No cached identity key, loading from DB“. If so, then follow Step 2.
1) Does Your Host Meet the Requirements?
If your VM is configured to use host attestation, then you must meet a few requirements, which are:
- A physical TPM 2.0 chip
- Secure Boot must be enabled
- TPM must use SHA-256 based encryption
- vCenter Server and ESXi versions must be updated to 6.7 or higher
In almost all cases, either the user has accidentally disabled TPM or Secure Boot. To re-enable these settings, follow these steps:
- Restart your PC and press the “Delete“, “F1“, “F2” or the “F10” keys.
- Navigate to the “Boot” tab and find a setting that says “Secure Boot“. Set this to “Enabled“.
- Next up, we need to enable TPM. Go to the “Settings” tab. In our case, TPM was present under the “Trusted Computing” section. This could be different for your system, so it is best to consult your motherboard’s manual.
- If your applications are not up to date, you should upgrade them to at least version 6.7, according to the requirements. As vSphere and vCenter are sophisticated applications, it is recommended you follow the proper guides (vSphere, vCenter) to ensure no unforeseen problems occur.
READ MORE: How to Enable TPM 2.0 in BIOS on Asus Devices ➜
2) Installing a TPM Chip in an Existing Host
If your log files contain the text “No cached identity key, loading from DB“, this essentially means that you installed a TPM 2.0 chip in a host that is already managed by vCenter. To fix this, simply put your host in maintenance mode, disconnect your ESXi host from the vCenter Server, and reconnect it.
- Log in to the vSphere Client.
- Right-click on the respective ESXi host.
- Select “Maintenance Mode” and click on “Enter Maintenance Mode“. (Credits: StarWind Software)
- Once in Maintenance Mode, again right-click on the server. Go to “Connection” and select “Disconnect” as shown. (Credits: VMware)
- After successfully disconnecting the server, right-click on the server once more, go to “Connection” and select “Connect“. Wait until the task status updates to complete.
- If the vpxd.log file doesn’t have the same message anymore, then Reset the alarm to Green manually. (Credits: Lenovo)
How Reliable is TPM?
Host Attestation relies on TPM (Trusted Platform Module) hardware on the host. A report is generated by the system which contains a hash of its current state, software, firmware, and whatnot. When combined, it is almost impossible to spoof or recreate a copy of this hash, thanks to a process called hash-chaining.
The physical TPM on your host cannot be passed on to the VMs installed on it. The VMs use what is called a vTPM (Virtual TPM) which offers the software-level functionality of a TPM 2.0 chip. The physical TPM assures that the host booted securely and has little to nothing to do with the VMs installed on it.
There can be a situation where if your server uses “Host Attestation” and the attestation fails due to the physical TPM, the host becomes unable to decrypt the VM configuration files because the vCenter Server doesn’t trust it.
Therefore, TPM can become extremely useful if you’re all in for that extra layer of protection and security. However, be mindful of its drawbacks since services like BitLocker can encrypt your entire drive and make it inaccessible without valid credentials.
READ MORE: Is It Safe to Clear TPM When Resetting Windows 10/11? ➜
Conclusion
The “Host TPM Attestation Alarm” is a very complex and detailed topic if you get into the nitty-gritty, however, fixing this problem involves just 2 simple checks. Do note that there can be a large number of issues if you’re setting up this feature, such as hashing algorithms, managing many hosts, and whatnot, but they can get extremely specific.
However, thanks to abstraction and a streamlined process, this error is mostly caused by incorrect UEFI settings or improper installation of the TPM chip. In any case, while TPM does have its benefits, it also poses the risk of completely locking you out of your system in rare scenarios. Therefore, we recommend users to assess the risks and benefits and proceed with caution.
FAQs
Host Attestation is a measure that verifies whether host machines are trustworthy before users can interact with them. An Attestation Service checks the host’s integrity against known good values or a predefined policy.
It depends on the extent of the problem. Generally speaking, the “Host TPM Attestation Alarm” is related to the host or the physical TPM. In the worst-case scenario, you could be locked out of your Virtual Machines if the vCenter Server deems your host to be compromised.
The Virtual Machines installed on hosts use what is called a Virtual TPM. Virtual TPMs do not depend on the physical TPM in any way.