Configuring Trusted Platform Module options

Trusted Platform Modules are computer chips that securely store artifacts used to authenticate the platform. These artifacts can include passwords, certificates, or encryption keys. You can also use a TPM to store platform measurements to make sure that the platform remains trustworthy. For servers configured with a Trusted Platform Module, TPM enables the firmware and operating system to take measurements of all phases of the boot process. For information on installing and enabling the TPM module option, see the user documentation for your server model.

When enabling the Trusted Platform module, observe the following guidelines:

  • By default, the Trusted Platform Module is enabled as TPM 2.0 when the server is powered on after installing it.

  • In UEFI Mode, the Trusted Platform Module can be configured to operate as TPM 2.0 or TPM 1.2.

  • In Legacy Boot Mode, the Trusted Platform Module configuration can be changed between TPM 1.2 and TPM 2.0, but only TPM 1.2 operation is supported.

CAUTION:

An OS that is using TPM might lock all data access if you do not follow proper procedures for modifying the server and suspending or disabling TPM in the OS. This includes updating system or option firmware, replacing hardware such as the system board and hard drive, and modifying TPM OS settings. Changing the TPM mode after installing an OS might cause problems, including loss of data.

Procedure
  1. From the System Utilities screen, select System Configuration > BIOS/Platform Configuration (RBSU) > Server Security > Trusted Platform Module options.
  2. Select an option. On servers configured with an optional TPM, you can set the following:

    • TPM 2.0 Operation—Sets the operation of TPM 2.0 to execute after a reboot. Options are:

      • No Action—There is no TPM configured.

      • Clear—TPM is cleared during reboot, and TPM 2.0 Operation is set to No Action.

    • TPM Mode Switch—Sets the TPM mode to execute after a reboot. Options are:

      • No Action

      • TPM 1.2

      • TPM 2.0

    • TPM 2.0 Visibility—Sets whether TPM is hidden form the operating system. Options are:

      • Visible
      • Hidden—Hides TPM from the operating system. Use this setting to remove TPM options from the system without having to remove the actual hardware.

    • TPM UEFI Option ROM Measurement—Enables or disables (skips) measuring UEFI PCI operation ROMs. Options are:

      • Enabled
      • Disabled

    • Backup ROM Image Authentication—Use this option to enable cryptographic authentication of the backup ROM image on startup. When this option is disabled, only the primary image is authenticated on each startup. Enable this option to also perform cryptographic authentication of the backup ROM image.

  3. Save your changes.
  4. Reboot the system.

    After the system reboots, you can view the Current TPM Type and Current TPM State settings.

  5. Verify that your new Current TPM Type and Current TPM State settings appear at the top of the screen.