Manual Chapter :
Trusted Platform
Module (TPM)
Applies To:
Show VersionsBIG-IP AAM
- 15.0.1, 15.0.0
BIG-IP APM
- 15.0.1, 15.0.0
BIG-IP Link Controller
- 15.0.1, 15.0.0
BIG-IP Analytics
- 15.0.1, 15.0.0
BIG-IP LTM
- 15.0.1, 15.0.0
BIG-IP AFM
- 15.0.1, 15.0.0
BIG-IP PEM
- 15.0.1, 15.0.0
BIG-IP DNS
- 15.0.1, 15.0.0
BIG-IP ASM
- 15.0.1, 15.0.0
Trusted Platform
Module (TPM)
About the Trusted Platform Module (TPM)
A Trusted Platform Module (TPM) is a hardware device that implements
security functions to provide the ability to determine a trusted computing environment,
allowing for an increased assurance of trust that a device behaves for its intended
purpose. TPM Chain of Custody provides assurance that the software loaded on your
platform at startup time has the same signature as the software that is loaded by F5
when the system is manufactured.
The TPM implements protected capabilities and locations that protect
and report integrity measurements using Platform Configuration Registers (PCRs). The TPM
also includes additional security functionality, including cryptographic key management,
random number generation, and the sealing of data to system state.
Your TPM-equipped F5 system comes with functionality to aid in
attestation and confirming chain of custody for the device locally and remotely without
the need for doing it manually. This functionality verifies that the correct,
F5-supplied BIOS, TBOOT software, kernel, and initrd are used during system boot.
You can verify the integrity of your system manually, locally, or
remotely. For information on performing manual attestation, see K93302141: Performing
manual attestation with TPM on BIG-IP systems (
support.f5.com/csp/article/K93302141
).If your system has been breached, consult your
security team immediately.
Platform support
These platforms include a Trusted Platform Module
(TPM).
- BIG-IP i2000 Series
- BIG-IP i4000 Series
- BIG-IP i5000 Series
- BIG-IP i7000 Series
- BIG-IP i10000 Series
- BIG-IP i11000 Series
- BIG-IP i15000 Series
- VIPRION B4450 blade
About local attestation
You can perform local attestation of the Trusted Platform Module (TPM)
chain of custody using the Platform Configuration Register (PCR) values, which the
BIG-IP system computes for the BIOS and other important software components (such as the
kernel and initrd), to confirm that the firmware is unmodified.
Local attestation is supported on TPM-enabled
systems running BIG-IP software version 14.0.0 and later.
Display the current
local attestation status using tmsh
You can use the TMOS Shell command-line interface
(
tmsh
) to display and
verify the current local attestation status of your system. You can also verify the status of your system by performing a
manual attestation. For information, see
K93302141:
Performing manual attestation with TPM on BIG-IP systems
at support.f5.com/csp/article/K93302141
.Local attestation is supported on TPM-enabled systems running
BIG-IP software version 14.0 and later.
- Log in to the command-line interface of the system using an administrative account.
- Open the TMOS Shell (tmsh).tmsh
- Display the current local attestation status.The-aoption specifies appending of PCR data to a file, and the-voption displays more verbosity.run sys integrity status-a-vA message similar to this example displays the current status:System Integrity Status: Valid
Available system integrity states
This table lists the available local attestation
system integrity states for the Trusted Platform Module (TPM).
State |
Description |
---|---|
Not Supported |
Indicates that the system does not
have the capability to perform System Integrity
Measurements. |
Pending |
Indicates that the system is not yet
ready to produce a System Integrity Measurement and evaluate
the reference values. |
Valid |
Indicates that the solicited System
Integrity Measurement matches one of the sets of reference
values in the local System Integrity Reference Repository
(SIRR). |
Invalid |
Indicates that the System Integrity
Measurement has been taken without error, but the values do
not match any set of acceptable values in the local System
Integrity Reference Repository. This could mean that the SIRR
is out of date or that the system has been tampered
with. |
Unavailable |
Indicates that an error has
occurred. |
About remote attestation
You can perform remote attestation of the Trusted Platform Module
(TPM) chain of custody using the Platform Configuration Register (PCR) values, which the
BIG-IP system computes for the BIOS and other important software components (such as the
kernel and initrd), to confirm that the firmware is unmodified. You use BIG-IP iHealth
to remotely verify the integrity of your system.
Remote attestation is supported on TPM-enabled
systems running BIG-IP software version 14.1.0 and later.
Create a support
snapshot file for remote attestation using the Configuration utility
You can use the Configuration utility to create
the support snapshot file that is used to verify the current remote attestation status
of your system.
Remote attestation is supported
on TPM-enabled systems running BIG-IP software version 14.1.0 and
later.
- On the Main tab, click.The Support screen displays a list of existing support snapshot files.
- ClickNew Support Snapshot.
- For theHealth Utilitysetting, select Generate and Upload QKView to iHealth.This creates a QKView file and uses your specified iHealth credentials to upload the file to the F5 iHealth portal.
- In theiHealth User IDfield, type your iHealth user ID.
- In theiHealth Passwordfield, type your iHeath user password.
- For theQKView Optionssettings, select any these options for creating the QKView file.Exclude Audit FilesSpecifies whether the QKView includes the audit files.Exclude Core FilesSpecifies whether the QKView includes the core files.Exclude Secure FilesSpecifies whether the QKView includes secure files.Exclude Bash HistorySpecifies whether the QKView includes the Bash history.Unlimited snaplenSpecifies no limit for QKView file size, which ensures that the operation captures the maximum amount of data per packet.Although the wording suggests that file size is unlimited, there is an effective maximum, based on the largest expected QKView, which varies by release.
- In theSupport Case (SR) Numberfield, type the F5 SR number that is associated with this QKView.
- In theDescriptionfield, type a description for this QKView.
- ClickStart.
View remote
attestation status using iHealth
Before you perform this procedure, be sure that
you have created a support snapshot and uploaded it to F5 iHealth.
You can use F5 iHealth to verify the current
remote attestation status of your system.
Remote
attestation is supported on TPM-enabled systems running BIG-IP software version
14.1.0 and later.
- Log in to F5 iHealth (ihealth.f5.com/qkview-analyzer).The Uploads tab displays.
- Click the hostname for the system that you want to view.The attestation status for your system displays underIntegrity Check.If the status isValid, no further action is required. If the status is eitherInvalidorUnavailable, you must take additional actions immediately.
Available system integrity states
This table lists the available remote attestation
system integrity states for the Trusted Platform Module (TPM).
State |
Description |
---|---|
Valid |
Indicates that the solicited System
Integrity Measurement matches one of the sets of reference
values in the local System Integrity Reference Repository
(SIRR). |
Invalid |
Indicates that the System Integrity
Measurement has been taken without error, but the values do
not match any set of acceptable values in the local System
Integrity Reference Repository. This could mean that the SIRR
is out of date or that the system has been tampered
with. |
Unavailable |
Indicates that an error has
occurred. |