Managing the TPM on SNS firewalls

This section explains how to check the status of the TPM, change its administration password, seal it, and disable it.

Checking the status of the TPM

From the web administration interface

This use case is exclusive to SNS 4.8.7 and higher versions.

  1. Go to Monitoring > Dashboard, in the Health indicators widget.

  2. Check the color of the TPM health indicator icon to find out its status.

Icon Description
None

The SNS firewall is not equipped with a TPM.
Grayed out icon

The SNS firewall is equipped with a TPM, but it has not been initialized.
Green icon

The TPM is initialized, running and protects at least one private key.
Orange icon

There are several possible statuses:

  • The TPM is initialized, but is not protecting any private key. By scrolling over the icon, the tooltip "The TPM has been initialized, but is not in use" confirms this status.

  • The TPM sealing policy has been changed. To apply it, reseal the TPM by following the Sealing the TPM procedure. By scrolling over the icon, the tooltip "TPM sealing required in order to apply the new TPM sealing policy" confirms this status.
Red icon

There are several possible statuses:

  • Tests on the TPM do not work (it no longer responds),

  • The TPM can no longer be accessed because the hash values of the trusted PCRs have changed. To refresh them, reseal the TPM by following the Sealing the TPM procedure. By scrolling over the icon, the tooltip "TPM sealing required in order to recover access to the TPM" confirms this status.

  • Secure Boot is disabled. A warning in the Messages widget in the Dashboard confirms that the feature is disabled.

From the CLI console

  1. Run this command:

    MONITOR TPM

  2. Check the result.

Token Values/Description
ondisk_init
  • 1: the TPM is initialized,
  • 0: the TPM has not been initialized.

NOTE
The other values described below do not exist in SNS 4.3 LTSB versions.
secure_boot_enabled
  • 1: Secure Boot is enabled,
  • 0: Secure Boot is disabled.
ondisk_pkeys_present
  • 1: the TPM is protecting at least one private key,
  • 0: the TPM is not protecting any private keys.
pcr_access_status
  • Good: the TPM can be accessed, no action is required.
  • Legacy: the TPM sealing policy has been changed. To apply it, reseal the TPM by following the Sealing the TPM procedure. A message confirms this status.
  • NO: the TPM can no longer be accessed because the hash values of the trusted PCRs have changed. To refresh them, reseal the TPM by following the Sealing the TPM procedure. A message confirms this status.
message Specify information on the status of the TPM if necessary.

Changing the TPM administration password

Run this command:

SYSTEM TPM CHANGE currentpassword=<password> newpassword=<new_password>

  • Replace <password> with the current TPM password,

  • Replace <new_password> with the new TPM password, by following the recommendations in the section TPM administration password.

If you have forgotten the TPM password, refer to the section Troubleshooting.

Sealing the TPM

The TPM has to be sealed when it can no longer be accessed, or when its sealing policy has been modified. By sealing the TPM, the hash values of the trusted PCRs can be recalculated. The status of the TPM is key to identifying whether this operation is necessary.

IMPORTANT
If Secure Boot has not been enabled on the SNS firewall, you are advised to enable it before resealing the TPM. As a reminder, TPM protection is incomplete as long as the Secure Boot feature is not enabled.

From the web administration interface

This use case is exclusive to SNS 4.8.7 and higher versions.

  1. Log in to the SNS firewall web administration interface.

    A window automatically appears when the TPM needs to be sealed. In a high availability configuration, a window also appears if the TPM on the passive firewall needs to be sealed. If both members of the cluster are concerned, two windows will appear one after the other.

  2. Enter the TPM password in the relevant field.

  3. Click on OK.

From the CLI console

  1. Run this command by replacing <password> with the TPM password:

    SYSTEM TPM PCRSEAL tpmpassword=<password>

  2. If the SNS firewall is part of a high availability cluster, run this command to seal the TPM on the passive firewall:

    SYSTEM TPM PCRSEAL tpmpassword=<password> serial=passive

From the SSH console

SSH access must be allowed on the firewall. Only the admin account can perform this operation.

Run this command by replacing <password> with the TPM password:

tpmctl -svp <tpmpassword>

Disabling the TPM

Run this command in a CLI console:

SYSTEM TPM RESET tpmpassword=<password> force=<on|off>

  • Replace <password> with the TPM password,
  • Enter force=on if private keys in certificates are protected by the TPM, and you wish to disable it by force anyway. The protected private keys will then be decrypted.