starlingx/docs
Code Issues Proposed changes
docs/doc/source/security/kubernetes/tpm-configuration-considerations.rst
Keane Lim 3c5fa979a4 Security guide update 
Re-organized topic hierarchy

Tiny edit to restart review workflow.

Squashed with Resolved index.rst conflict commit

Change-Id: I13472792cb19d1e9975ac76c6954d38054d606c5
Signed-off-by: Keane Lim <keane.lim@windriver.com>
Signed-off-by: MCamp859 <maryx.camp@intel.com>
2021-03-12 15:10:40 -05:00

3.9 KiB
Raw Blame History

TPM Configuration Considerations

There are some considerations to account for when configuring or reconfiguring .

This includes certain behavior and warnings that you may encounter when configuring TPM. The same behavior and warnings are seen when performing these actions in the Horizon Web interface, also.

  • The command certificate-show tpm will indicate the status of the TPM configuration on the hosts, either tpm-config-failed or tpm-config-applied.

    ~(keystone_admin)]$ system certificate-show tpm
+-------------+-----------------------------------------------------+
| Property    | Value                                               |
+-------------+-----------------------------------------------------+
| uuid        | ed3d6a22-996d-421b-b4a5-64ab42ebe8be                |
| certtype    | tpm_mode                                            |
| signature   | tpm_mode_13214262027721489760                       |
| start_date  | 2018-03-21T14:53:03+00:00                           |
| expiry_date | 2019-03-21T14:53:03+00:00                           |
| details     | {u'state': {u'controller-1': u'tpm-config-applied', |
|             |  u'controller-0': u'tpm-config-applied'}}           |
+-------------+-----------------------------------------------------+

  • If either controller has state tpm-config-failed, then a 500.100 alarm will be raised for the host.

    ~(keystone_admin)]$ fm alarm-list

+----------+------------------+------------------+----------+------------+
| Alarm ID | Reason Text      | Entity ID        | Severity | Time Stamp |
+----------+------------------+------------------+----------+------------+
| 500.100  | TPM configuration| host=controller-1| major    | 2017-06-1..|
|          | failed or device.|                  |          |.586010     |
+----------+------------------+------------------+----------+------------+

  • An UNLOCKED controller node that is not in TPM applied configuration state (tpm-config-applied) will be prevented from being Swacted To or upgraded.

    The following warning is generated when you attempt to swact:

    ~(keystone_admin)]$ system host-swact controller-0
TPM configuration not fully applied on host controller-1; Please
run https-certificate-install before re-attempting.

  • A LOCKED controller node that is not in TPM applied configuration state (tpm-config-applied) will be prevented from being UNLOCKED.

    The host-list command below shows controller-1 as locked and disabled.

    ~(keystone_admin)]$ system host-list

+----+--------------+-------------+----------------+-------------+--------------+
| id | hostname     | personality | administrative | operational | availability |
+----+--------------+-------------+----------------+-------------+--------------+
| 1  | controller-0 | controller  | unlocked       | enabled     | available    |
| 2  | controller-1 | controller  | locked         | disabled    | online       |
+----+--------------+-------------+----------------+-------------+--------------+

    The following warning is generated when you attempt to UNLOCK a controller not in a tpm-config-applied state:

    ~[keystone_admin)]$ system host-unlock controller-1

TPM configuration not fully applied on host controller-1; Please
run https-certificate-install before re-attempting