Using Lenovo XClarity Essentials OneCLI
Use this section to set the TPM policy using Lenovo XClarity Essentials OneCLI.
Setting the policy
The policy to be set must match with the TPM hardware device. For example, when the hardware device is an onboard chip for customers outside Chinese Mainland, if the policy is set to
NationZ TPM 2.0 enabled - China only
, the setting will fail.After the policy is set using OneCLI commands, for security reasons, it must be locked on field sites.
Once the policy is successfully set and locked, the policy cannot be unlocked and reset on field sites.
Steps:
Read TpmTcmPolicyLock to check whether the TPM_TCM_POLICY has been locked:
OneCli.exe config show imm.TpmTcmPolicyLock --override --bmc <userid>:<password>@<ip_address>NoteThe imm.TpmTcmPolicyLock value must be
Disabled
, which means TPM_TCM_POLICY is NOT locked and changes to the TPM_TCM_POLICY are permitted. If the return code isEnabled
then no changes to the policy are permitted. The planar may still be used if the desired setting is correct for the system being replaced.Configure the TPM_TCM_POLICY into XCC:
NationZ TPM 2.0 enabled - China only
Customers in Chinese Mainland that intend to enable TPM should select this TPM policy.
OneCli.exe config set imm.TpmTcmPolicy "NationZTPM20Only" --override --bmc <userid>:<password>@<ip_address>TPM enabled - ROW
Customers outside Chinese Mainland that intend to enable TPM should select this TPM policy.
OneCli.exe config set imm.TpmTcmPolicy "TpmOnly" --override --bmc <userid>:<password>@<ip_address>Permanently disabled
Customers in Chinese Mainland with no TPM or customers that require to disable TPM should select this policy.
OneCli.exe config set imm.TpmTcmPolicy "NeitherTpmNorTcm" --override --bmc <userid>:<password>@<ip_address>
Issue reset command to reset system:
OneCli.exe misc ospower reboot --bmc <userid>:<password>@<ip_address>Read back the value to check whether the change has been accepted:
OneCli.exe config show imm.TpmTcmPolicy --override --bmc <userid>:<password>@<ip_address>NoteIf the read back value is matched it means the TPM_TCM_POLICY has been set correctly.
imm.TpmTcmPolicy is defined as below:Value 0 use string
Undefined
, which means UNDEFINED policy.Value 1 use string
NeitherTpmNorTcm
, which means TPM_PERM_DISABLED.Value 2 use string
TpmOnly
, which means TPM_ALLOWED.Value 4 use string
NationZTPM20Only
, which means NationZTPM20_ALLOWED.
Locking the TPM policy
Steps:
Read TpmTcmPolicyLock to check whether the TPM_TCM_POLICY has been locked:
OneCli.exe config show imm.TpmTcmPolicyLock --override --bmc <userid>:<password>@<ip_address>NoteThe value must be
Disabled
, it means TPM_TCM_POLICY is NOT locked and must be set.Lock the TPM_TCM_POLICY:
OneCli.exe config set imm.TpmTcmPolicyLock "Enabled" --override --bmc <userid>:<password>@<ip_address>Issue reset command to reset system, command as below:
OneCli.exe misc ospower reboot --bmc <userid>:<password>@<ip_address>During the reset, UEFI will read the value from imm.TpmTcmPolicyLock, if the value is
Enabled
and the imm.TpmTcmPolicy value is valid, UEFI will lock the TPM_TCM_POLICY setting.The valid value for imm.TpmTcmPolicy includes
NeitherTpmNorTcm
,TpmOnly
, andNationZTPM20Only
.If the imm.TpmTcmPolicyLock is set as
Enabled
but imm.TpmTcmPolicy value is invalid, UEFI will reject the 'lock' request and change imm.TpmTcmPolicyLock back toDisabled
.Read back the value to check whether the
Lock
is accepted or rejected. command as below:OneCli.exe config show imm.TpmTcmPolicy --override --bmc <userid>:<password>@<ip_address>NoteIf the read back value is changed fromDisabled
toEnabled
that means theTPM_TCM_POLICY has been locked successfully. There is no method to unlock a policy once it has been set other than replacing system board. imm.TpmTcmPolicyLock is defined as below:
Value 1 use string
Enabled
, which means lock the policy. Other values are not accepted.