1. Securing Systems and Attached Devices in Oracle Solaris 11.4
  2. Protecting Oracle Solaris System Integrity
  3. Using Trusted Platform Module
  4. Initializing and Backing Up TPM on Oracle Solaris Systems
  5. How to Initialize TPM Using the Oracle ILOM Interface (SPARC Only)

How to Initialize TPM Using the Oracle ILOM Interface (SPARC Only)

On SPARC systems, you use both the system's ILOM and Oracle Solaris interfaces to initialize TPM.

This procedure includes instructions for backing up the TPM data and keys.

You must assume the root role. For more information, see Using Your Assigned Administrative Rights in Securing Users and Processes in Oracle Solaris 11.4.

  1. At the ILOM prompt, stop the host system.

    • For single-host servers:

      -> stop /System

    • For multidomain servers:

      -> stop /Servers/PDomains/PDomain_n/HOST

    Stopping the server can take some time. You must wait until the host console displays the following message before proceeding to the next step.

    -> SP NOTICE: Host is off

    Note:

    Add the -f|force option to stop the host system only if the preceding step does not shut down the host.

  2. Activate TPM.

    Activate TPM with one of the following sets of commands depending on the SPARC system.

    • On SPARC M5-Series servers and SPARC T5-Series servers, use the following command:

      -> set /HOST/tpm mode=activated

    • On SPARC M5-32 Series servers, use the following command:

      -> set /HOST0/tpm mode=activated

    • On SPARC T4 servers, use the following commands:

      -> set /HOST/tpm enable=true activate=true
-> show /HOST/tpm
  3. At the Oracle Solaris prompt, initialize TPM.

    Initializing TPM causes you to become a TPM owner and requires you to assign an owner password, also called the Owner PIN.

    # tpmadm init
TPM Owner PIN:
Confirm TPM Owner PIN
  4. Verify the status of TPM.
    # tpmadm status
TPM Version: 1.2 (ATML Rev: 13.9, SpecLevel: 2, ErrataRev: 1)
TPM resources
Contexts: 16/16 available
Sessions: 2/3 available
Auth Sessions: 2/3 available
Loaded Keys: 18/21 available
Platform Configuration Registers (24)
PCR 0: E1 EE 40 D8 66 28 A9 08 B6 22 8E AF DC 3C BC 23 71 15 49 31
PCR 1: 5B 93 BB A0 A6 64 A7 10 52 59 4A 70 95 B2 07 75 77 03 45 0B
PCR 2: 5B 93 BB A0 A6 64 A7 10 52 59 4A 70 95 B2 07 75 77 03 45 0B
PCR 3: 5B 93 BB A0 A6 64 A7 10 52 59 4A 70 95 B2 07 75 77 03 45 0B
PCR 4: AF 98 77 B8 72 82 94 7D BE 09 25 10 2E 60 F9 60 80 1E E6 7C
PCR 5: E1 AA 8C DF 53 A4 23 BF DB 2F 4F 0F F2 90 A5 45 21 D8 BF 27
PCR 6: 5B 93 BB A0 A6 64 A7 10 52 59 4A 70 95 B2 07 75 77 03 45 0B
PCR 7: 5B 93 BB A0 A6 64 A7 10 52 59 4A 70 95 B2 07 75 77 03 45 0B
PCR 8: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
PCR 9: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
PCR 10: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
PCR 11: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
PCR 12: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
PCR 13: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
PCR 14: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
PCR 15: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
PCR 16: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
PCR 17: FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF
PCR 18: FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF
PCR 19: FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF
PCR 20: FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF
PCR 21: FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF
PCR 22: FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF
PCR 23: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  5. Back up TPM data and keys for future use during system migration or hardware replacement.

    • For multidomain systems with Oracle Solaris installed, enable failover of the SP board that contains the TPM.

      # tpmadm failover
Enter TPM Owner PIN:
Enter PIN for the migration key:
Confirm PIN for the migration key:

      Note:

      The TPM owner PIN is the PIN used when TPM was initialized.

      Make a note of the PIN you supply for the migration key, so you can use that PIN to backup and restore the TPM keystore for future system migrations or hardware replacements. For more information, see SPARC: TPM Failover Option and the tpmadm(8) man page.

    • For all other platforms, perform a manual backup of TPM data and keys. For instructions, see How to Back Up TPM Data and Keys (SPARC Only).

  6. (Optional) Enable the TPM crypto provider.

    Note:

    The TPM crypto provider is slower than Oracle Solaris. Perform this step only if you want TPM to perform cryptographic operations.

    # cryptoadm install provider='/usr/lib/security/$ISA/pkcs11_tpm.so'
# cryptoadm list -mv provider='/usr/lib/security/$ISA/pkcs11_tpm.so'