(Required) Set the TPM policy
Use this topic to set the TPM policy.
Attention:
• Physical Presence must be asserted if you are going to set the TPM policy. See “(Required) Assert
Physical Presence” on page 199.
• The policy to be set must match the TPM hardware device. For example, when the hardware device is an
onboard chip for customers outside Chinese Mainland, if the policy is set to
NationZ TPM 2.0 enabled -
China only
, the setting will fail.
• Once the policy is successfully set and locked, whether it be
Permanently disabled
,
TPM enabled -
ROW
, or
NationZ TPM 2.0 enabled - China only
, the policy cannot be unlocked and modified on field
sites, if required, a new FRU system board is needed.
• After the policy is locked using OneCLI commands, for security reasons, it must be locked on field sites.
Recommended tools
Lenovo XClarity Essentials OneCLI commands
Setting the policy
Note:
Please note that a Local IPMI user and password must be setup in Lenovo XClarity Controller for
remote accessing to the target system.
Steps:
1. Read TpmTcmPolicyLock to check whether the TPM_TCM_POLICY has been locked:
OneCli.exe config show bmc.TpmTcmPolicyLock
--override --bmc
<userid>
:
<password>
@
<ip_address>
Note:
The bmc.TpmTcmPolicyLock value must be 'Disabled', which means TPM_TCM_POLICY is NOT
locked and changes to the TPM_TCM_POLICY are permitted. If the return code is ‘Enabled’ then no
changes to the policy are permitted. The planar may still be used if the desired setting is correct for the
system being replaced.
2. Configure the TPM_TCM_POLICY into BMC:
• For customers in Chinese Mainland with no TPM, or customers that require to disable TPM:
OneCli.exe config set bmc.TpmTcmPolicy "NeitherTpmNorTcm"
--override --bmc
<userid>
:
<password>
@
<ip_address>
• For customers in Chinese Mainland that require to enable TPM:
OneCli.exe config set bmc.TpmTcmPolicy "NationZTPM20Only"
--override --bmc
<userid>
:
<password>
@
<ip_address>
• For customers outside Chinese Mainland that require to enable TPM:
OneCli.exe config set bmc.TpmTcmPolicy "TpmOnly"
--override --bmc
<userid>
:
<password>
@
<ip_address>
3. Issue reset command to reset system:
OneCli.exe misc ospower reboot
--bmc
<userid>
:
<password>
@
<ip_address>
4. Read back the value to check whether the change has been accepted:
OneCli.exe config show bmc.TpmTcmPolicy
--override --bmc
<userid>
:
<password>
@
<ip_address>
Notes:
If the read back value is matched it means the TPM_TCM_POLICY has been set correctly.
bmc.TpmTcmPolicy is defined as below:
• Value 0 use string “Undefined” , which means UNDEFINED policy.
200
ThinkSystem SR635 Maintenance Manual
Summary of Contents for ThinkSystem SR635
Page 1: ...ThinkSystem SR635 Maintenance Manual Machine Types 7Y98 and 7Y99 ...
Page 5: ...Index 231 Copyright Lenovo 2019 2021 iii ...
Page 6: ...iv ThinkSystem SR635 Maintenance Manual ...
Page 10: ...viii ThinkSystem SR635 Maintenance Manual ...
Page 12: ...Figure 2 QR code 2 ThinkSystem SR635 Maintenance Manual ...
Page 22: ...12 ThinkSystem SR635 Maintenance Manual ...
Page 88: ...78 ThinkSystem SR635 Maintenance Manual ...
Page 133: ...Figure 102 Riser 1 assembly LP FHFL removal Chapter 3 Hardware replacement procedures 123 ...
Page 136: ...Figure 105 Riser 1 assembly LP FHFL installation 126 ThinkSystem SR635 Maintenance Manual ...
Page 214: ...204 ThinkSystem SR635 Maintenance Manual ...
Page 232: ...222 ThinkSystem SR635 Maintenance Manual ...
Page 240: ...230 ThinkSystem SR635 Maintenance Manual ...
Page 245: ......
Page 246: ......