跳到主要内容

Set the TPM policy

By default, a replacement system I/O board is shipped with the TPM policy set to Undefined. You must modify this setting to match the setting that was in place for the system I/O board that is being replaced.

There are two methods available to set the TPM policy:

  • From Lenovo XClarity Provisioning Manager

    To set the TPM policy from Lenovo XClarity Provisioning Manager:

    1. Start the server and press the key according to the on-screen instructions to display the Lenovo XClarity Provisioning Manager interface.

    2. If the power-on Administrator password is required, enter the password.

    3. Click on the top right corner of the Lenovo XClarity Provisioning Manager interface, and then click Update VPD.

    4. Set the policy to one of the following settings.

      • NationZ TPM 2.0 enabled - China only. Customers in the Chinese Mainland should choose this setting if a NationZ TPM 2.0 adapter is installed.

      • TPM enabled - ROW. Customers outside of the Chinese Mainland should choose this setting.

      • Permanently disabled. Customers in the Chinese Mainland should use this setting if no TPM adapter is installed.

      Note

      Although the setting Undefined is available as a policy setting, it should not be used.

  • From Lenovo XClarity Essentials OneCLI

    Note
    Please note that a Local IPMI user and password must be setup in Lenovo XClarity Controller for remote accessing to the target system.
    To set the TPM policy from Lenovo XClarity Essentials OneCLI:

    1. Read TpmTcmPolicyLock to check whether the TPM_TCM_POLICY has been locked:

      OneCli.exe config show BMC.TpmTcmPolicyLock --override --bmc <userid>:<password>@<ip_address>
      Note

      The BMC.TpmTcmPolicyLock value must be 'Disabled', which means TPM_TCM_POLICY is NOT locked and changes to the TPM_TCM_POLICY are permitted. If the return code is 'Enabled', no changes to the policy are permitted. The planar may still be used if the desired setting is correct for the system being replaced.

    2. Configure the TPM_TCM_POLICY into XCC:

      • For customers in Chinese Mainland with no TPM, or customers that require to disable TPM:

        OneCli.exe config set BMC.TpmTcmPolicy "NeitherTpmNorTcm" --override --bmc <userid>:<password>@<ip_address>

      • For customers in Chinese Mainland that require to enable TPM:

        OneCli.exe config set BMC.TpmTcmPolicy "NationZTPM20Only" --override --bmc <userid>:<password>@<ip_address>

      • For customers outside Chinese Mainland that require to enable TPM:

        OneCli.exe config set BMC.TpmTcmPolicy "TPMOnly" --override --bmc <userid>:<password>@<ip_address>

    3. Issue the reset command to reset the system:

      OneCli.exe misc ospower reboot --bmc <userid>:<password>@<ip_address>

    4. Read back the value to check whether the change has been accepted:

      OneCli.exe config show BMC.TpmTcmPolicy --override --bmc <userid>:<password>@<ip_address>
      Note

      • If the read back value is matched, it means the TPM_TCM_POLICY has been set correctly.

        BMC.TpmTcmPolicy is defined as below:

        • Value 0 uses string "Undefined", which means UNDEFINED policy.

        • Value 1 uses string "NeitherTpmNorTcm", which means TPM_PERM_DISABLED.

        • Value 2 uses string "TPMOnly", which means TPM_ALLOWED.

        • Value 5 uses string "NationZTPM20Only", which means NationZ_TPM20_ALLOWED.

      • Below 4 steps must also be used to 'lock' the TPM_TCM_POLICY when using OneCli/ASU commands:

    5. Read TpmTcmPolicyLock to check whether the TPM_TCM_POLICY has been locked:

      OneCli.exe config show BMC.TpmTcmPolicyLock --override --bmc <userid>:<password>@<ip_address>

      The value must be 'Disabled', which means TPM_TCM_POLICY is NOT locked and must be set.

    6. Lock the TPM_TCM_POLICY:

      OneCli.exe config set BMC.TpmTcmPolicyLock "Enabled" --override --bmc <userid>:<password>@<ip_address>

    7. Issue the reset command to reset the system:

      OneCli.exe misc ospower reboot --bmc <userid>:<password>@<ip_address>
      During the reset, UEFI will read the value from BMC.TpmTcmPolicyLock. If the value is 'Enabled' and the BMC.TpmTcmPolicy value is valid, UEFI will lock the TPM_TCM_POLICY setting.
      Note

      The valid values for BMC.TpmTcmPolicy include 'NeitherTpmNorTcm', 'TPMOnly', and 'NationZTPM20Only'.

      If the BMC.TpmTcmPolicyLock is set as 'Enabled' but BMC.TpmTcmPolicy value is invalid, UEFI will reject the 'lock' request and change BMC.TpmTcmPolicyLock back to 'Disabled'.

    8. Read back the value to check whether the 'Lock' is enabled successfully:

      OneCli.exe config show BMC.TpmTcmPolicyLock --override --bmc <userid>:<password>@<ip_address>
      Note
      If the read back value is changed from 'Disabled' to 'Enabled', that means the TPM_TCM_POLICY has been locked successfully. There is no method to unlock a policy once it has been set other than replacing the system I/O board.

      BMC.TpmTcmPolicyLock is defined as below:

      Value 1 uses string "Enabled", which means lock the policy. Other values are not accepted.