Manual Chapter : Trusted Platform Module (TPM)

Applies To:

Show Versions Show Versions

BIG-IP DNS

  • 14.0.1, 14.0.0

BIG-IP AFM

  • 14.0.1, 14.0.0

BIG-IP Analytics

  • 14.0.1, 14.0.0

BIG-IP PEM

  • 14.0.1, 14.0.0

BIG-IP ASM

  • 14.0.1, 14.0.0

BIG-IP AAM

  • 14.0.1, 14.0.0

BIG-IP APM

  • 14.0.1, 14.0.0

BIG-IP LTM

  • 14.0.1, 14.0.0
Manual Chapter

Trusted Platform Module (TPM)

About the Trusted Platform Module (TPM)

A Trusted Platform Module (TPM) is a hardware device that implements security functions to provide the ability to determine a trusted computing environment, allowing for an increased assurance of trust that a device behaves for its intended purpose. TPM Chain of Custody provides assurance that the software loaded on your platform at startup time has the same signature as the software that is loaded by F5 when the system is manufactured.
The TPM implements protected capabilities and locations that protect and report integrity measurements using Platform Configuration Registers (PCRs). The TPM also includes additional security functionality, including cryptographic key management, random number generation, and the sealing of data to system state.
Your TPM-equipped F5 system comes with functionality to aid in attestation and confirming chain of custody for the device locally without the need for doing it manually. This functionality verifies that the correct, F5-supplied BIOS, TBOOT software, kernel, and initrd are used during system boot.
If your system has been breached, consult your security team immediately.

Platform support

These platforms include a Trusted Platform Module (TPM).
  • BIG-IP i2000 Series
  • BIG-IP i4000 Series
  • BIG-IP i5000 Series
  • BIG-IP i7000 Series
  • BIG-IP i10000 Series
  • BIG-IP i11000 Series
  • BIG-IP i15000 Series
  • VIPRION B4450 blade

Display the current local attestation status using tmsh

You can use the TMOS Shell command line interface (
tmsh
) to display and verify the current local attestation status of your system.
You can also verify the status of your system by performing a manual attestation. For information, see
K93302141: Performing manual attestation with TPM on BIG-IP systems
at
support.f5.com/csp/article/K93302141
.
Local attestation is supported on TPM-enabled systems running BIG-IP software version 14.0 and later.
  1. Log in to the command-line interface of the system using an administrative account.
  2. Open the TMOS Shell (
    tmsh
    ).
    tmsh
  3. Display the current local attestation status.
    The
    -a
    option specifies appending of PCR data to a file, and the
    -v
    option displays more verbosity.
    run sys integrity status
    -a
    -v
    A message similar to this example displays the current status:
    System Integrity Status: Valid

Available system integrity states

This table lists the available system integrity states for the Trusted Platform Module (TPM).
State
Description
Not Supported
Indicates that the system does not have the capability to perform System Integrity Measurements.
Pending
Indicates that the system is not yet ready to produce a System Integrity Measurement and evaluate the reference values.
Valid
Indicates that the solicited System Integrity Measurement matches one of the sets of reference values in the local System Integrity Reference Repository (SIRR).
Invalid
Indicates that the System Integrity Measurement has been taken without error, but the values do not match any set of acceptable values in the local System Integrity Reference Repository. This could mean that the SIRR is out of date or that the system has been tampered with.
Unavailable
Indicates that an error has occurred.