imm.TpmTcmPolicy is defined as below:
– Value 0 use string “Undefined” , which means UNDEFINED policy.
– Value 1 use string “NeitherTpmNorTcm”, which means TPM_PERM_DISABLED.
– Value 2 use string “TpmOnly”, which means TPM_ALLOWED.
– Value 4 use string “TcmOnly”, which means TCM_ALLOWED.
– Below 4 steps must also be used to ‘lock’ the TPM_TCM_POLICY when using OneCli/ASU
commands:
5. Read TpmTcmPolicyLock to check whether the TPM_TCM_POLICY has been locked , command as
below:
OneCl
i.e
xe
con
fig
show
imm.TpmTcmPol
icyLock
--override --imm
<userid>:<password>@<ip_address>
The value must be 'Disabled', it means TPM_TCM_POLICY is NOT locked and must be set.
6. Lock the TPM_TCM_POLICY:
OneCl
i.e
xe
con
f
ig
se
t
imm.TpmTcmP
ol
icyLock
"En
abl
ed"
--override --imm
<user
id>:<p
assword>@<ip_address>
7. Issue reset command to reset system, command as below:
OneCl
i.e
xe
misc
ospower
reboo
t
--imm
<user
id>:<pas
sword>@<ip_address>
During the reset, UEFI will read the value from imm.TpmTcmPolicyLock, if the value is 'Enabled' and
the imm.TpmTcmPolicy value is invalid, UEFI will lock the TPM_TCM_POLICY setting.
The valid value for imm.TpmTcmPolicy includes 'NeitherTpmNorTcm', 'TpmOnly' and 'TpmOnly'.
If the imm.TpmTcmPolicy is set as 'Enabled' but imm.TpmTcmPolicy value is invalid, UEFI will reject
the 'lock' request and change imm.TpmTcmPolicy back to 'Disabled'.
8. Read back the value to check whether the ‘Lock’ is accepted or rejected. command as below:
OneCl
i.e
xe
con
f
ig
show
imm.TpmTcmP
ol
icy
--override --imm
<user
id>:<p
assword>@<ip_address>
Note: If the read back value is changed from 'Disabled' to 'Enabled' that means the TPM_TCM_
POLICY has been locked successfully. There is no method to unlock a policy once it has been set
other than replacing system board.
imm.TpmTcmPolicyLock is defined as below:
Value 1 use string “Enabled" , which means lock the policy. Other values are not accepted.
Procedure also requires that Physical Presence is enabled. The Default value for FRU will be enabled.
PhysicalPresencePolicyConfiguration.PhysicalPresencePolicy=Enable
Assert Physical Presence
Before you can assert Physical Presence, the Physical Presence Policy must be enabled. By default, the
Physical Presence Policy is enabled with a timeout of 30 minutes.
There are two ways to assert the Physical Presence:
1. If the Physical Presence Policy is enabled, you can assert Physical Presence through the Lenovo
XClarity Provisioning Manager or through the Lenovo XClarity Controller.
2. Switch the hardware jumpers on the system board.
Notes: If the Physical Presence Policy has been disabled:
1. Set the hardware Physical Presence jumper on the system board to assert Physical Presence.
2. Enable the Physical Presence Policy using either F1 (UEFI Settings) or Lenovo XClarity Essentials
OneCLI.
162
ThinkSystem SR550 Maintenance Manual
To Next Page
Loading...
