What is Host Attestation?
In simple terms, Host Attestation verifies the integrity of your computer (the host) on which various Virtual Machines are running through vSphere. This ensures that the system has not been tampered with and offers a safe environment for the VMs on it. Consider how you (the VM) would want your house (the host) to be secure. A report containing vital data regarding your system is created and used to identify against known or expected values to see if the host is trustworthy. This becomes indispensable in server environments where data worth billions of dollars is being fed into remote machines, and you’d want to make sure these machines are trusted. Typically, TPM is not required in vSphere. Each VM in a vSphere environment uses a vTPM (Virtual TPM), to ensure security at the grassroots level. You don’t need a physical TPM to use vTPM. A vTPM allows the use of services like BitLocker per each VM separately. The “Host TPM Attestation Alarm” issue occurs because of the physical TPM. This could be due to many reasons; adding a new TPM chip, insufficient TPM hardware, incorrect UEFI settings, or vSphere/vCenter version. READ MORE: PTT vs TPM: Microsoft’s Security Effort for Windows 11 ➜
How to Fix “Host TPM Attestation Alarm”?
Luckily for us, fixing the Host TPM Attestation Alarm is not that difficult. First, we need to find the root cause of the problem. To do so, we can either view the respective error message or go through the logs.
1) Does Your Host Meet the Requirements?
If your VM is configured to use host attestation, then you must meet a few requirements, which are:
A physical TPM 2.0 chipSecure Boot must be enabledTPM must use SHA-256 based encryptionvCenter Server and ESXi versions must be updated to 6.7 or higher
In almost all cases, either the user has accidentally disabled TPM or Secure Boot. To re-enable these settings, follow these steps: READ MORE: How to Enable TPM 2.0 in BIOS on Asus Devices ➜
2) Installing a TPM Chip in an Existing Host
If your log files contain the text “No cached identity key, loading from DB“, this essentially means that you installed a TPM 2.0 chip in a host that is already managed by vCenter. To fix this, simply put your host in maintenance mode, disconnect your ESXi host from the vCenter Server, and reconnect it.
How Reliable is TPM?
Host Attestation relies on TPM (Trusted Platform Module) hardware on the host. A report is generated by the system which contains a hash of its current state, software, firmware, and whatnot. When combined, it is almost impossible to spoof or recreate a copy of this hash, thanks to a process called hash-chaining. The physical TPM on your host cannot be passed on to the VMs installed on it. The VMs use what is called a vTPM (Virtual TPM) which offers the software-level functionality of a TPM 2.0 chip. The physical TPM assures that the host booted securely and has little to nothing to do with the VMs installed on it. There can be a situation where if your server uses “Host Attestation” and the attestation fails due to the physical TPM, the host becomes unable to decrypt the VM configuration files because the vCenter Server doesn’t trust it. Therefore, TPM can become extremely useful if you’re all in for that extra layer of protection and security. However, be mindful of its drawbacks since services like BitLocker can encrypt your entire drive and make it inaccessible without valid credentials. READ MORE: Is It Safe to Clear TPM When Resetting Windows 10/11? ➜
Conclusion
The “Host TPM Attestation Alarm” is a very complex and detailed topic if you get into the nitty-gritty, however, fixing this problem involves just 2 simple checks. Do note that there can be a large number of issues if you’re setting up this feature, such as hashing algorithms, managing many hosts, and whatnot, but they can get extremely specific. However, thanks to abstraction and a streamlined process, this error is mostly caused by incorrect UEFI settings or improper installation of the TPM chip. In any case, while TPM does have its benefits, it also poses the risk of completely locking you out of your system in rare scenarios. Therefore, we recommend users to assess the risks and benefits and proceed with caution.
