Set the TPM/TCM policy

By default, a replacement system board is shipped with the TPM/TCM policy set to undefined. You must modify this setting to match the setting that was in place for the system board that is being replaced.

You can set the TPM/TCM policy from Lenovo XClarity Provisioning Manager.

Complete the following steps to set the TPM/TCM policy.

  1. Start the server and when prompted, press F1 to display Lenovo XClarity Provisioning Manager.
  2. If the power-on Administrator password is required, enter the password.
  3. From the System Summary page, click Update VPD.
  4. Set the policy to one of the following settings.
    • TCM enabled - Chinese Mainland only. Customers in Chinese Mainland should choose this setting if a TCM adapter is installed.

    • NationZ TPM 2.0 enabled - Chinese Mainland only. Customers in Chinese Mainland should choose this setting if a NationZ TPM 2.0 adapter is installed.

    • TPM enabled - ROW. Customers outside of Chinese Mainland should choose this setting.

    • Permanently disabled. Customers in Chinese Mainland should use this setting if no TPM or TCM adapter is installed.

    Although the setting undefined is available as a policy setting, it should not be used.

    Note: You can use Lenovo XClarity Essentials OneCLI to update the TPM/TCM policy. Please note that a Local IPMI user and password must be setup in Lenovo XClarity Controller for remote accessing to the target system.
    1. Read TpmTcmPolicyLock to check whether the TPM_TCM_POLICY has been locked:
      OneCli.exe config show imm.TpmTcmPolicyLock --override --imm <userid>:<password>@<ip_address>
      Note:

      The imm.TpmTcmPolicyLock value must be 'Disabled', which means TPM_TCM_POLICY is NOT locked and changes to the TPM_TCM_POLICY are permitted. If the return code is ‘Enabled’ then no changes to the policy are permitted. The planar may still be used if the desired setting is correct for the system being replaced.

    2. Configure the TPM_TCM_POLICY into XCC:

      • For the customer in Chinese Mainland with no TCM:

        OneCli.exe config set imm.TpmTcmPolicy "NeitherTpmNorTcm" --override  --imm <userid>:<password>@<ip_address>
      • For the customer in Chinese Mainland that has installed TCM module on the original system (TCM module should be moved to the FRU prior to changing policy)

        OneCli.exe config set imm.TpmTcmPolicy "TcmOnly" --override --imm <userid>:<password>@<ip_address>
      • For the customer outside of Chinese Mainland:

        OneCli.exe config set imm.TpmTcmPolicy "TpmOnly" --override --imm <userid>:<password>@<ip_address>
    3. Issue reset command to reset system:

      OneCli.exe misc ospower reboot --imm <userid>:<password>@<ip_address>
    4. Read back the value to check whether the change has been accepted:

      OneCli.exe config show imm.TpmTcmPolicy --override --imm <userid>:<password>@<ip_address>
      Note:
      • If the read back value is matched it means the TPM_TCM_POLICY has been set correctly.

        imm.TpmTcmPolicy is defined as below:
        • Value 0 use string “Undefined” , which means UNDEFINED policy.

        • Value 1 use string “NeitherTpmNorTcm”, which means TPM_PERM_DISABLED.

        • Value 2 use string “TpmOnly”, which means TPM_ALLOWED.

        • Value 4 use string “TcmOnly”, which means TCM_ALLOWED.

      • Below 4 steps must also be used to ‘lock’ the TPM_TCM_POLICY when using OneCli/ASU commands:

    5. Read TpmTcmPolicyLock to check whether the TPM_TCM_POLICY has been locked , command as below:

       OneCli.exe config show imm.TpmTcmPolicyLock --override --imm <userid>:<password>@<ip_address>

      The value must be 'Disabled', it means TPM_TCM_POLICY is NOT locked and must be set.

    6. Lock the TPM_TCM_POLICY:

      OneCli.exe config set imm.TpmTcmPolicyLock "Enabled"--override --imm <userid>:<password>@<ip_address>
    7. Issue reset command to reset system, command as below:

      OneCli.exe misc ospower reboot --imm <userid>:<password>@<ip_address>

      During the reset, UEFI will read the value from imm.TpmTcmPolicyLock, if the value is 'Enabled' and the imm.TpmTcmPolicy value is invalid, UEFI will lock the TPM_TCM_POLICY setting.

      The valid value for imm.TpmTcmPolicy includes 'NeitherTpmNorTcm', 'TpmOnly' and 'TpmOnly'.

      If the imm.TpmTcmPolicy is set as 'Enabled' but imm.TpmTcmPolicy value is invalid, UEFI will reject the 'lock' request and change imm.TpmTcmPolicy back to 'Disabled'.

    8. Read back the value to check whether the ‘Lock’ is accepted or rejected. command as below:

      OneCli.exe config show imm.TpmTcmPolicy --override --imm <userid>:<password>@<ip_address>
      Note: If the read back value is changed from 'Disabled' to 'Enabled' that means the TPM_TCM_POLICY has been locked successfully. There is no method to unlock a policy once it has been set other than replacing system board.

      imm.TpmTcmPolicyLock is defined as below:

      Value 1 use string “Enabled" , which means lock the policy. Other values are not accepted.

      Procedure also requires that Physical Presence is enabled. The Default value for FRU will be enabled.
      PhysicalPresencePolicyConfiguration.PhysicalPresencePolicy=Enable