Skip to main content

Using Lenovo XClarity Essentials OneCLI

Use this section to set the TPM policy using Lenovo XClarity Essentials OneCLI.

Setting the policy

Important
  • The policy to be set must match with the TPM hardware device. For example, when the hardware device is an onboard chip for customers outside Chinese Mainland, if the policy is set to NationZ TPM 2.0 enabled - China only, the setting will fail.

  • After the policy is set using OneCLI commands, for security reasons, it must be locked on field sites.

  • Once the policy is successfully set and locked, the policy cannot be unlocked and reset on field sites.

Steps:

  1. Read TpmTcmPolicyLock to check whether the TPM_TCM_POLICY has been locked:

    OneCli.exe config show imm.TpmTcmPolicyLock --override --bmc <userid>:<password>@<ip_address>
    Note

    The imm.TpmTcmPolicyLock value must be Disabled, which means TPM_TCM_POLICY is NOT locked and changes to the TPM_TCM_POLICY are permitted. If the return code is Enabled then no changes to the policy are permitted. The planar may still be used if the desired setting is correct for the system being replaced.

  2. Configure the TPM_TCM_POLICY into XCC:

    • NationZ TPM 2.0 enabled - China only

      Customers in Chinese Mainland that intend to enable TPM should select this TPM policy.

      OneCli.exe config set imm.TpmTcmPolicy "NationZTPM20Only" --override --bmc <userid>:<password>@<ip_address>
    • TPM enabled - ROW

      Customers outside Chinese Mainland that intend to enable TPM should select this TPM policy.

      OneCli.exe config set imm.TpmTcmPolicy "TpmOnly" --override --bmc <userid>:<password>@<ip_address>
    • Permanently disabled

      Customers in Chinese Mainland with no TPM or customers that require to disable TPM should select this policy.

      OneCli.exe config set imm.TpmTcmPolicy "NeitherTpmNorTcm" --override --bmc <userid>:<password>@<ip_address>
  3. Issue reset command to reset system:

    OneCli.exe misc ospower reboot --bmc <userid>:<password>@<ip_address>
  4. Read back the value to check whether the change has been accepted:

    OneCli.exe config show imm.TpmTcmPolicy --override --bmc <userid>:<password>@<ip_address>
    Note

    If the read back value is matched it means the TPM_TCM_POLICY has been set correctly.

    imm.TpmTcmPolicy is defined as below:
    • Value 0 use string Undefined, which means UNDEFINED policy.

    • Value 1 use string NeitherTpmNorTcm, which means TPM_PERM_DISABLED.

    • Value 2 use string TpmOnly, which means TPM_ALLOWED.

    • Value 4 use string NationZTPM20Only, which means NationZTPM20_ALLOWED.

Locking the TPM policy

Steps:

  1. Read TpmTcmPolicyLock to check whether the TPM_TCM_POLICY has been locked:

    OneCli.exe config show imm.TpmTcmPolicyLock --override --bmc <userid>:<password>@<ip_address>
    Note

    The value must be Disabled, it means TPM_TCM_POLICY is NOT locked and must be set.

  2. Lock the TPM_TCM_POLICY:

    OneCli.exe config set imm.TpmTcmPolicyLock "Enabled" --override --bmc <userid>:<password>@<ip_address>
  3. Issue reset command to reset system, command as below:

    OneCli.exe misc ospower reboot --bmc <userid>:<password>@<ip_address>

    During the reset, UEFI will read the value from imm.TpmTcmPolicyLock, if the value is Enabled and the imm.TpmTcmPolicy value is valid, UEFI will lock the TPM_TCM_POLICY setting.

    The valid value for imm.TpmTcmPolicy includes NeitherTpmNorTcm, TpmOnly, and NationZTPM20Only.

    If the imm.TpmTcmPolicyLock is set as Enabled but imm.TpmTcmPolicy value is invalid, UEFI will reject the 'lock' request and change imm.TpmTcmPolicyLock back to Disabled.

  4. Read back the value to check whether the Lock is accepted or rejected. command as below:

    OneCli.exe config show imm.TpmTcmPolicy --override --bmc <userid>:<password>@<ip_address>
    Note
    If the read back value is changed from Disabled to Enabled that means the TPM_TCM_POLICY has been locked successfully. There is no method to unlock a policy once it has been set other than replacing system board.

    imm.TpmTcmPolicyLock is defined as below:

    Value 1 use string Enabled, which means lock the policy. Other values are not accepted.