Manual Chapter : Trusted Platform Module (TPM)

Applies To:

Show Versions Show Versions

BIG-IP APM

  • 17.1.0, 17.0.0, 16.1.5, 16.1.4, 16.1.3, 16.1.2, 16.1.1, 16.1.0

BIG-IP Analytics

  • 17.1.0, 17.0.0, 16.1.5, 16.1.4, 16.1.3, 16.1.2, 16.1.1, 16.1.0

BIG-IP Link Controller

  • 17.1.0, 17.0.0, 16.1.5, 16.1.4, 16.1.3, 16.1.2, 16.1.1, 16.1.0

BIG-IP LTM

  • 17.1.0, 17.0.0, 16.1.5, 16.1.4, 16.1.3, 16.1.2, 16.1.1, 16.1.0

BIG-IP PEM

  • 17.1.0, 17.0.0, 16.1.5, 16.1.4, 16.1.3, 16.1.2, 16.1.1, 16.1.0

BIG-IP AFM

  • 17.1.0, 17.0.0, 16.1.5, 16.1.4, 16.1.3, 16.1.2, 16.1.1, 16.1.0

BIG-IP DNS

  • 17.1.0, 17.0.0, 16.1.5, 16.1.4, 16.1.3, 16.1.2, 16.1.1, 16.1.0

BIG-IP ASM

  • 17.1.0, 17.0.0, 16.1.5, 16.1.4, 16.1.3, 16.1.2, 16.1.1, 16.1.0
Manual Chapter

Trusted Platform Module (TPM)

About the Trusted Platform Module (TPM)

A Trusted Platform Module (TPM) is a hardware device that implements security functions to provide the ability to determine a trusted computing environment, allowing for an increased assurance of trust that a device behaves for its intended purpose. TPM Chain of Custody provides assurance that the software loaded on your platform at startup time has the same signature as the software that is loaded by F5 when the system is manufactured.
The TPM implements protected capabilities and locations that protect and report integrity measurements using Platform Configuration Registers (PCRs). The TPM also includes additional security functionality, including cryptographic key management, random number generation, and the sealing of data to system state.
Your TPM-equipped F5 system comes with functionality to aid in attestation and confirming chain of custody for the device locally and remotely without the need for doing it manually. This functionality verifies that the correct, F5-supplied BIOS, TBOOT software, kernel, and initrd are used during system boot.
You can verify the integrity of your system manually, locally, or remotely. For information on performing manual attestation, see K93302141: Performing manual attestation with TPM on BIG-IP systems (
support.f5.com/csp/article/K93302141
).
If your system has been breached, consult your security team immediately.

Platform support

These platforms include a Trusted Platform Module (TPM).
  • BIG-IP i2000 Series
  • BIG-IP i4000 Series
  • BIG-IP i5000 Series
  • BIG-IP i7000 Series
  • BIG-IP i10000 Series
  • BIG-IP i11000 Series
  • BIG-IP i15000 Series
  • VIPRION B4450 blade

About local attestation

You can perform local attestation of the Trusted Platform Module (TPM) chain of custody using the Platform Configuration Register (PCR) values, which the BIG-IP system computes for the BIOS and other important software components (such as the kernel and initrd), to confirm that the firmware is unmodified.
Local attestation is supported on TPM-enabled systems running BIG-IP software version 14.0.0 and later.

Available system integrity states

This table lists the available local attestation system integrity states for the Trusted Platform Module (TPM).
State
Description
Not Supported
Indicates that the system does not have the capability to perform System Integrity Measurements.
Pending
Indicates that the system is not yet ready to produce a System Integrity Measurement and evaluate the reference values.
Valid
Indicates that the solicited System Integrity Measurement matches one of the sets of reference values in the local System Integrity Reference Repository (SIRR).
Invalid
Indicates that the System Integrity Measurement has been taken without error, but the values do not match any set of acceptable values in the local System Integrity Reference Repository. This could mean that the SIRR is out of date or that the system has been tampered with.
Unavailable
Indicates that an error has occurred.

Display the current local attestation status using tmsh

You can use the TMOS Shell command-line interface (
tmsh
) to display and verify the current local attestation status of your system.
You can also verify the status of your system by performing a manual attestation. For information, see
K93302141: Performing manual attestation with TPM on BIG-IP systems
at
support.f5.com/csp/article/K93302141
.
Local attestation is supported on TPM-enabled systems running BIG-IP software version 14.0 and later.
  1. Log in to the command-line interface of the system using an administrative account.
  2. Open the TMOS Shell (
    tmsh
    ).
    tmsh
  3. Display the current local attestation status.
    The
    -a
    option specifies appending of PCR data to a file, and the
    -v
    option displays more verbosity.
    run sys integrity status
    -a
    -v
    A message similar to this example displays the current status:
    System Integrity Status: Valid

About remote attestation

You can perform remote attestation of the Trusted Platform Module (TPM) chain of custody using the Platform Configuration Register (PCR) values, which the BIG-IP system computes for the BIOS and other important software components (such as the kernel and initrd), to confirm that the firmware is unmodified. You use BIG-IP iHealth to remotely verify the integrity of your system.
Remote attestation is supported on TPM-enabled systems running BIG-IP software version 14.1.0 and later.

Available system integrity states

This table lists the available remote attestation system integrity states for the Trusted Platform Module (TPM).
State
Description
Valid
Indicates that the solicited System Integrity Measurement matches one of the sets of reference values in the local System Integrity Reference Repository (SIRR).
Invalid
Indicates that the System Integrity Measurement has been taken without error, but the values do not match any set of acceptable values in the local System Integrity Reference Repository. This could mean that the SIRR is out of date or that the system has been tampered with.
Unavailable
Indicates that an error has occurred.

Create a support snapshot file for remote attestation using the Configuration utility

You can use the Configuration utility to create the support snapshot file that is used to verify the current remote attestation status of your system.
Remote attestation is supported on TPM-enabled systems running BIG-IP software version 14.1.0 and later.
  1. On the Main tab, click
    System
    Support
    .
    The Support screen displays a list of existing support snapshot files.
  2. Click
    New Support Snapshot
    .
  3. For the
    Health Utility
    setting, select Generate and Upload QKView to iHealth.
    This creates a QKView file and uses your specified iHealth credentials to upload the file to the F5 iHealth portal.
  4. In the
    iHealth User ID
    field, type your iHealth user ID.
  5. In the
    iHealth Password
    field, type your iHeath user password.
  6. For the
    QKView Options
    settings, select any these options for creating the QKView file.
    Exclude Audit Files
    Specifies whether the QKView includes the audit files.
    Exclude Core Files
    Specifies whether the QKView includes the core files.
    Exclude Secure Files
    Specifies whether the QKView includes secure files.
    Exclude Bash History
    Specifies whether the QKView includes the Bash history.
    Unlimited snaplen
    Specifies no limit for QKView file size, which ensures that the operation captures the maximum amount of data per packet.
    Although the wording suggests that file size is unlimited, there is an effective maximum, based on the largest expected QKView, which varies by release.
  7. In the
    Support Case (SR) Number
    field, type the F5 SR number that is associated with this QKView.
  8. In the
    Description
    field, type a description for this QKView.
  9. Click
    Start
    .

View remote attestation status using iHealth

Before you perform this procedure, be sure that you have created a support snapshot and uploaded it to F5 iHealth.
You can use F5 iHealth to verify the current remote attestation status of your system.
Remote attestation is supported on TPM-enabled systems running BIG-IP software version 14.1.0 and later.
  1. Log in to F5 iHealth (
    ihealth.f5.com/qkview-analyzer
    ).
    The Uploads tab displays.
  2. Click the hostname for the system that you want to view.
    The attestation status for your system displays under
    Integrity Check
    .
    If the status is
    Valid
    , no further action is required. If the status is either
    Invalid
    or
    Unavailable
    , you must take additional actions immediately. For more information, see the "Resolve
    an Invalid or Unavailable remote attestation status" section.

Resolve an Invalid remote attestation status

If your system's remote attestation status is
Invalid
, you should take immediate steps to resolve it, as this status could indicate a possible breach.
  1. Isolate the system and notify your company's security department.
  2. Confirm the system's SIRR values by contacting F5 Support.

Resolve an Unavailable remote attestation status

If your system's remote attestation status is
Unavailable
, you should take immediate steps to resolve it.
  1. Confirm the system's SIRR values by contacting F5 Support.