Manual Chapter :
Trusted Platform Module (TPM)
Applies To:
Show Versions
BIG-IP AAM
- 14.0.1, 14.0.0
BIG-IP APM
- 14.0.1, 14.0.0
BIG-IP Analytics
- 14.0.1, 14.0.0
BIG-IP LTM
- 14.0.1, 14.0.0
BIG-IP PEM
- 14.0.1, 14.0.0
BIG-IP AFM
- 14.0.1, 14.0.0
BIG-IP DNS
- 14.0.1, 14.0.0
BIG-IP ASM
- 14.0.1, 14.0.0
Trusted Platform Module (TPM)
About the
Trusted Platform Module (TPM)
A Trusted Platform Module (TPM) is a hardware device that
implements security functions to provide the ability to determine a trusted
computing environment, allowing for an increased assurance of trust that a
device behaves for its intended purpose. TPM Chain of Custody provides
assurance that the software loaded on your platform at startup time has the
same signature as the software that is loaded by F5 when the system is
manufactured.
The TPM implements protected capabilities and locations that
protect and report integrity measurements using Platform Configuration
Registers (PCRs). The TPM also includes additional security functionality,
including cryptographic key management, random number generation, and the
sealing of data to system state.
Your TPM-equipped F5 system comes with functionality to aid
in attestation and confirming chain of custody for the device locally without
the need for doing it manually. This functionality verifies that the correct,
F5-supplied BIOS, TBOOT software, kernel, and initrd are used during system
boot.
If your system has been breached,
consult your security team immediately.
Platform support
These platforms include a Trusted Platform
Module (TPM).
- BIG-IP i2000 Series
- BIG-IP i4000 Series
- BIG-IP i5000 Series
- BIG-IP i7000 Series
- BIG-IP i10000 Series
- BIG-IP i11000 Series
- BIG-IP i15000 Series
- VIPRION B4450 blade
Display
the current local attestation status using tmsh
You can use the TMOS Shell command line
interface (
tmsh
) to
display and verify the current local attestation status of your system. You can also verify the status of your
system by performing a manual attestation. For information, see
K93302141: Performing manual attestation with
TPM on BIG-IP systems
at support.f5.com/csp/article/K93302141
.Local attestation is supported on TPM-enabled systems
running BIG-IP software version 14.0 and later.
- Log in to the command-line interface of the system using an administrative account.
- Open the TMOS Shell (tmsh).tmsh
- Display the current local attestation status.The-aoption specifies appending of PCR data to a file, and the-voption displays more verbosity.run sys integrity status-a-vA message similar to this example displays the current status:System Integrity Status: Valid
Available system integrity states
This table lists the available system integrity
states for the Trusted Platform Module (TPM).
State | Description |
|---|---|
Not Supported | Indicates that the system does not have the capability to
perform System Integrity Measurements. |
Pending | Indicates that the system is not yet ready to produce a
System Integrity Measurement and evaluate the reference
values. |
Valid | Indicates that the solicited System Integrity Measurement
matches one of the sets of reference values in the local
System Integrity Reference Repository (SIRR). |
Invalid | Indicates that the System Integrity Measurement has been
taken without error, but the values do not match any set of
acceptable values in the local System Integrity Reference
Repository. This could mean that the SIRR is out of date or
that the system has been tampered
with. |
Unavailable | Indicates that an error has occurred. |
